CWE · MITRE source
CWE-20Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. Input can consist of: Data can be simple or structured. Structured data can be composed of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data. Many properties of raw data or metadata may need to be validated upon entry into the code, such as: Implied or derived properties of data must often be calculated or inferred by the code itself. Errors in deriving properties may be considered a contributing factor to improper input validation.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: partial · 57 mapping(s) from 4 framework(s): CAPEC 50 (partial) · ATT&CK 5 (partial) · STIG rhel 8 1 (partial) · OWASP-Web 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A05:2025 Injection.
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-10 | Information Input Validation | SI | Directly implements checks on information inputs to reject invalid data before processing. |
SI-8 | Spam Protection | SI | Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content. |
PM-14 | Testing, Training, and Monitoring | PM | Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses. |
SA-11 | Developer Testing and Evaluation | SA | Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2009-0927 KEV | 10.0 | 8.8 | 0.9660 | 2009-03-19 |
CVE-2009-2055 KEV | 10.0 | 5.9 | 0.0333 | 2009-08-19 |
CVE-2012-0151 KEV | 10.0 | 7.8 | 0.8878 | 2012-04-10 |
CVE-2012-1535 KEV | 10.0 | 7.8 | 0.7038 | 2012-08-15 |
CVE-2013-6282 KEV | 10.0 | 8.8 | 0.3971 | 2013-11-20 |
CVE-2016-3714 KEV | 10.0 | 8.4 | 0.9748 | 2016-05-05 |
CVE-2017-0148 KEV | 10.0 | 8.1 | 0.9937 | 2017-03-17 |
CVE-2017-3881 KEV | 10.0 | 9.8 | 0.9898 | 2017-03-17 |
CVE-2017-9791 KEV | 10.0 | 9.8 | 0.9893 | 2017-07-10 |
CVE-2015-2291 KEV | 10.0 | 7.8 | 0.0901 | 2017-08-09 |
CVE-2017-12233 KEV | 10.0 | 7.5 | 0.0694 | 2017-09-29 |
CVE-2017-12234 KEV | 10.0 | 7.5 | 0.0694 | 2017-09-29 |
CVE-2017-12235 KEV | 10.0 | 7.5 | 0.0694 | 2017-09-29 |
CVE-2017-12240 KEV | 10.0 | 9.8 | 0.1352 | 2017-09-29 |
CVE-2017-15944 KEV | 10.0 | 9.8 | 0.9834 | 2017-12-11 |
CVE-2018-0125 KEV | 10.0 | 9.8 | 0.5476 | 2018-02-08 |
CVE-2018-0147 KEV | 10.0 | 9.8 | 0.1855 | 2018-03-08 |
CVE-2017-12319 KEV | 10.0 | 5.9 | 0.0537 | 2018-03-27 |
CVE-2018-0156 KEV | 10.0 | 7.5 | 0.0837 | 2018-03-28 |
CVE-2018-0158 KEV | 10.0 | 8.6 | 0.0719 | 2018-03-28 |
CVE-2018-0159 KEV | 10.0 | 7.5 | 0.0687 | 2018-03-28 |
CVE-2018-0171 KEV | 10.0 | 9.8 | 0.9951 | 2018-03-28 |
CVE-2018-0172 KEV | 10.0 | 8.6 | 0.0782 | 2018-03-28 |
CVE-2018-0173 KEV | 10.0 | 8.6 | 0.0761 | 2018-03-28 |
CVE-2018-0174 KEV | 10.0 | 8.6 | 0.0761 | 2018-03-28 |