Cyber Resilience

CWE · MITRE source

CWE-20Improper Input Validation

Abstraction: Class · CVEs in our corpus: 12,597

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. Input can consist of: Data can be simple or structured. Structured data can be composed of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data. Many properties of raw data or metadata may need to be validated upon entry into the code, such as: Implied or derived properties of data must often be calculated or inferred by the code itself. Errors in deriving properties may be considered a contributing factor to improper input validation.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 57 mapping(s) from 4 framework(s): CAPEC 50 (partial) · ATT&CK 5 (partial) · STIG rhel 8 1 (partial) · OWASP-Web 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A05:2025 Injection.

NIST 800-53 r5 controls that address this weakness (4)AI

Control Title Family Why it addresses this CWE
SI-10Information Input ValidationSIDirectly implements checks on information inputs to reject invalid data before processing.
SI-8Spam ProtectionSISpam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
PM-14Testing, Training, and MonitoringPMSecurity testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
SA-11Developer Testing and EvaluationSASecurity testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2009-0927 KEV10.08.80.96602009-03-19
CVE-2009-2055 KEV10.05.90.03332009-08-19
CVE-2012-0151 KEV10.07.80.88782012-04-10
CVE-2012-1535 KEV10.07.80.70382012-08-15
CVE-2013-6282 KEV10.08.80.39712013-11-20
CVE-2016-3714 KEV10.08.40.97482016-05-05
CVE-2017-0148 KEV10.08.10.99372017-03-17
CVE-2017-3881 KEV10.09.80.98982017-03-17
CVE-2017-9791 KEV10.09.80.98932017-07-10
CVE-2015-2291 KEV10.07.80.09012017-08-09
CVE-2017-12233 KEV10.07.50.06942017-09-29
CVE-2017-12234 KEV10.07.50.06942017-09-29
CVE-2017-12235 KEV10.07.50.06942017-09-29
CVE-2017-12240 KEV10.09.80.13522017-09-29
CVE-2017-15944 KEV10.09.80.98342017-12-11
CVE-2018-0125 KEV10.09.80.54762018-02-08
CVE-2018-0147 KEV10.09.80.18552018-03-08
CVE-2017-12319 KEV10.05.90.05372018-03-27
CVE-2018-0156 KEV10.07.50.08372018-03-28
CVE-2018-0158 KEV10.08.60.07192018-03-28
CVE-2018-0159 KEV10.07.50.06872018-03-28
CVE-2018-0171 KEV10.09.80.99512018-03-28
CVE-2018-0172 KEV10.08.60.07822018-03-28
CVE-2018-0173 KEV10.08.60.07612018-03-28
CVE-2018-0174 KEV10.08.60.07612018-03-28