A05:2025 Injection
Untrusted input crosses an interpreter boundary without proper neutralization. SQL, OS command, LDAP, XSS, template injection.
Related on the LLM side: OWASP Top 10 for LLMs LLM01:2025.
Member CWEs (37)
- CWE-20 Improper Input Validation
- CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CWE-76 Improper Neutralization of Equivalent Special Elements
- CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
- CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CWE-83 Improper Neutralization of Script in Attributes in a Web Page
- CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
- CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
- CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
- CWE-91 XML Injection (aka Blind XPath Injection)
- CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
- CWE-94 Improper Control of Generation of Code ('Code Injection')
- CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
- CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
- CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
- CWE-99 Improper Control of Resource Identifiers ('Resource Injection')
- CWE-103 Struts: Incomplete validate() Method Definition
- CWE-104 Struts: Form Bean Does Not Extend Validation Class
- CWE-112 Missing XML Validation
- CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
- CWE-114 Process Control
- CWE-115 Misinterpretation of Input
- CWE-116 Improper Encoding or Escaping of Output
- CWE-129 Improper Validation of Array Index
- CWE-159 Improper Handling of Invalid Use of Special Elements
- CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
- CWE-493 Critical Public Variable Without Final Modifier
- CWE-500 Public Static Field Not Marked Final
- CWE-564 SQL Injection: Hibernate
- CWE-610 Externally Controlled Reference to a Resource in Another Sphere
- CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
- CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax
- CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Mapped NIST 800-53 r5 controls (1)
Our two-way, human-QA’d reading of how this category and each NIST 800-53 control relate. No external body publishes an OWASP→800-53 mapping, so these are our assessment.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Tagged CVEs (showing 50 most recent of 95,935)
- CVE-2026-59102
- CVE-2026-58652
- CVE-2026-58579
- CVE-2026-58521
- CVE-2026-58519
- CVE-2026-58457
- CVE-2026-58455
- CVE-2026-58454
- CVE-2026-58452
- CVE-2026-58449
- CVE-2026-58376
- CVE-2026-58371
- CVE-2026-58263
- CVE-2026-58138
- CVE-2026-58116
- CVE-2026-58038
- CVE-2026-58037
- CVE-2026-58035
- CVE-2026-58034
- CVE-2026-58032
- CVE-2026-58031
- CVE-2026-58030
- CVE-2026-58028
- CVE-2026-58025
- CVE-2026-58000
- CVE-2026-57999
- CVE-2026-57963
- CVE-2026-57958
- CVE-2026-57955
- CVE-2026-57765
- CVE-2026-57764
- CVE-2026-57763
- CVE-2026-57762
- CVE-2026-57756
- CVE-2026-57755
- CVE-2026-57754
- CVE-2026-57752
- CVE-2026-57749
- CVE-2026-57748
- CVE-2026-57737
- CVE-2026-57722
- CVE-2026-57687
- CVE-2026-57686
- CVE-2026-57684
- CVE-2026-57683
- CVE-2026-57682
- CVE-2026-57679
- CVE-2026-57678
- CVE-2026-57675
- CVE-2026-57674
Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1440).