CWE · MITRE source
CWE-20Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. Input can consist of: Data can be simple or structured. Structured data can be composed of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data. Many properties of raw data or metadata may need to be validated upon entry into the code, such as: Implied or derived properties of data must often be calculated or inferred by the code itself. Errors in deriving properties may be considered a contributing factor to improper input validation.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-10 | Information Input Validation | SI | Directly implements checks on information inputs to reject invalid data before processing. |
SI-8 | Spam Protection | SI | Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content. |
PM-14 | Testing, Training, and Monitoring | PM | Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses. |
SA-11 | Developer Testing and Evaluation | SA | Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-44228 KEV | 9.7 | 10.0 | 0.9446 | 2021-12-10 |
CVE-2024-3400 KEV | 9.7 | 10.0 | 0.9432 | 2024-04-12 |
CVE-2017-3881 KEV | 9.6 | 9.8 | 0.9428 | 2017-03-17 |
CVE-2017-9791 KEV | 9.6 | 9.8 | 0.9408 | 2017-07-10 |
CVE-2017-15944 KEV | 9.6 | 9.8 | 0.9391 | 2017-12-11 |
CVE-2018-7600 KEV | 9.6 | 9.8 | 0.9449 | 2018-03-29 |
CVE-2019-0604 KEV | 9.6 | 9.8 | 0.9444 | 2019-03-05 |
CVE-2020-1350 KEV | 9.6 | 10.0 | 0.9382 | 2020-07-14 |
CVE-2021-21985 KEV | 9.6 | 9.8 | 0.9441 | 2021-05-26 |
CVE-2022-24086 KEV | 9.6 | 9.8 | 0.9374 | 2022-02-16 |
CVE-2022-47966 KEV | 9.6 | 9.8 | 0.9438 | 2023-01-18 |
CVE-2023-23397 KEV | 9.6 | 9.8 | 0.9340 | 2023-03-14 |
CVE-2023-22515 KEV | 9.6 | 9.8 | 0.9433 | 2023-10-04 |
CVE-2018-0171 KEV | 9.5 | 9.8 | 0.9267 | 2018-03-28 |
CVE-2024-21413 KEV | 9.5 | 9.8 | 0.9296 | 2024-02-13 |
CVE-2009-0927 KEV | 9.4 | 8.8 | 0.9331 | 2009-03-19 |
CVE-2016-3714 KEV | 9.3 | 8.4 | 0.9375 | 2016-05-05 |
CVE-2017-0148 KEV | 9.3 | 8.1 | 0.9408 | 2017-03-17 |
CVE-2022-29499 KEV | 9.3 | 9.8 | 0.8862 | 2022-04-26 |
CVE-2023-22952 KEV | 9.3 | 8.8 | 0.9282 | 2023-01-11 |
CVE-2023-2868 KEV | 9.3 | 9.4 | 0.9080 | 2023-05-24 |
CVE-2018-0296 KEV | 9.2 | 7.5 | 0.9440 | 2018-06-07 |
CVE-2020-3161 KEV | 9.2 | 9.8 | 0.8709 | 2020-04-15 |
CVE-2020-3452 KEV | 9.2 | 7.5 | 0.9445 | 2020-07-22 |
CVE-2012-1535 KEV | 9.1 | 7.8 | 0.9161 | 2012-08-15 |