Weaknesses and vulnerabilities are both states that indicate security risks. While weakness refers to an application error or bug, it may escalate to a vulnerability in cases where it can be exploited to perform a malicious action. The difference between a weakness and a vulnerability is the availability of a specific payload allowing it to be exploited. Once an exploit is available it is considered a confirmed vulnerability and as such it holds greater risk to the application security.