Cyber Resilience

CWE · MITRE source

CWE-99Improper Control of Resource Identifiers ('Resource Injection')

Abstraction: Class · CVEs in our corpus: 56

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

A resource injection issue occurs when the following two conditions are met: This may enable an attacker to access or modify otherwise protected system resources.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 7 mapping(s) from 4 framework(s): ASVS 5.0 4 (partial) · CAPEC 1 (partial) · OWASP-Web 1 (partial) · ATT&CK 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A05:2025 Injection.

NIST 800-53 r5 controls that address this weakness (0)AI

Control Title Family Why it addresses this CWE
No NIST controls proposed yet.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2017-51597.09.80.02432017-02-13
CVE-2024-579717.09.10.00672025-02-16
CVE-2025-0756 UPD7.09.10.00792025-04-16
CVE-2025-2410 UPD7.09.10.00432025-05-22
CVE-2025-434917.09.80.00262025-09-09
CVE-2019-65456.07.50.13862019-02-13
CVE-2020-52305.57.70.01172020-01-30
CVE-2020-81775.57.80.01242020-12-14
CVE-2021-228795.58.80.04702021-04-14
CVE-2021-423605.57.60.00592021-11-17
CVE-2022-393695.58.00.01062022-11-01
CVE-2023-35175.58.50.00642023-12-12
CVE-2023-66055.57.20.00272025-01-06
CVE-2024-57065.58.80.00662025-02-19
CVE-2026-36935.57.30.00402026-03-08
CVE-2016-86153.55.30.04502018-08-01
CVE-2019-18603.55.90.01262019-05-16
CVE-2020-62453.56.70.00342020-05-12
CVE-2022-12873.56.50.00712022-04-09
CVE-2022-276703.56.50.00912022-04-12
CVE-2022-37743.55.40.01132022-10-31
CVE-2023-29803.56.30.01122023-05-30
CVE-2024-42943.56.30.00862024-04-27
CVE-2024-48173.56.30.00922024-05-14
CVE-2024-74373.55.40.00442024-08-03