CWE-1173: Improper Use of Validation Framework
low-riskThe product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.
Common Consequences
Detection Methods
Some instances of improper input validation can be detected using automated static analysis. A static analysis tool might allow the user to specify which application-specific methods or functions perform input validation; the tool might also have built-in knowledge of validation frameworks such as Struts. The tool may then suppress or de-prioritize any associated warnings. This allows the analyst to focus on areas of the software in which input validation does not appear to be present. Except in the cases described in the previous paragraph, automated static analysis might not be able to recognize when proper input validation is being performed, leading to false positives - i.e., warnings that do not have any security consequences or require any code changes.
Real-World Examples (6)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2022-1414 | 8.8 | 0.5% | — |
| CVE-2020-1640 | 7.5 | 0.4% | — |
| CVE-2025-3940 | 5.3 | 0.3% | — |
| CVE-2023-29091 | 6.8 | 0.2% | — |
| CVE-2026-33674 | 2.0 | 0.1% | — |
| CVE-2023-30949 | 4.3 | 0.1% | — |