A05:2025 Injection

OWASP Top 10:2025 · Back to the list

Untrusted input crosses an interpreter boundary without proper neutralization. SQL, OS command, LDAP, XSS, template injection.

Related on the LLM side: OWASP Top 10 for LLMs LLM01:2025.

Member CWEs (37)

• CWE-20 Improper Input Validation
• CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
• CWE-76 Improper Neutralization of Equivalent Special Elements
• CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
• CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
• CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
• CWE-83 Improper Neutralization of Script in Attributes in a Web Page
• CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
• CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
• CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
• CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
• CWE-91 XML Injection (aka Blind XPath Injection)
• CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
• CWE-94 Improper Control of Generation of Code ('Code Injection')
• CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
• CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
• CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
• CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
• CWE-99 Improper Control of Resource Identifiers ('Resource Injection')
• CWE-103 Struts: Incomplete validate() Method Definition
• CWE-104 Struts: Form Bean Does Not Extend Validation Class
• CWE-112 Missing XML Validation
• CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
• CWE-114 Process Control
• CWE-115 Misinterpretation of Input
• CWE-116 Improper Encoding or Escaping of Output
• CWE-129 Improper Validation of Array Index
• CWE-159 Improper Handling of Invalid Use of Special Elements
• CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
• CWE-493 Critical Public Variable Without Final Modifier
• CWE-500 Public Static Field Not Marked Final
• CWE-564 SQL Injection: Hibernate
• CWE-610 Externally Controlled Reference to a Resource in Another Sphere
• CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
• CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax
• CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Tagged CVEs (showing 50 most recent of 93,077)

• CVE-2026-9157
• CVE-2026-9144
• CVE-2026-9124
• CVE-2026-9082
• CVE-2026-9065
• CVE-2026-9059
• CVE-2026-9010
• CVE-2026-9003
• CVE-2026-8959
• CVE-2026-8912
• CVE-2026-8851
• CVE-2026-8838
• CVE-2026-8827
• CVE-2026-8788
• CVE-2026-8785
• CVE-2026-8777
• CVE-2026-8774
• CVE-2026-8773
• CVE-2026-8772
• CVE-2026-8771
• CVE-2026-8767
• CVE-2026-8759
• CVE-2026-8753
• CVE-2026-8751
• CVE-2026-8735
• CVE-2026-8734
• CVE-2026-8726
• CVE-2026-8724
• CVE-2026-8685
• CVE-2026-8656
• CVE-2026-8654
• CVE-2026-8634
• CVE-2026-8632
• CVE-2026-8627
• CVE-2026-8626
• CVE-2026-8624
• CVE-2026-8603
• CVE-2026-8579
• CVE-2026-8539
• CVE-2026-8538
• CVE-2026-8536
• CVE-2026-8528
• CVE-2026-8527
• CVE-2026-8516
• CVE-2026-8500
• CVE-2026-8493
• CVE-2026-8467
• CVE-2026-8431
• CVE-2026-8430
• CVE-2026-8429

Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1440).