CWE-1286: Improper Validation of Syntactic Correctness of Input
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.
Last updated
Overview
Often, complex inputs are expected to follow a particular syntax, which is either assumed by the input itself, or declared within metadata such as headers. The syntax could be for data exchange formats, markup languages, or even programming languages. When untrusted input is not properly validated for the expected syntax, attackers could cause parsing failures, trigger unexpected errors, or expose latent vulnerabilities that might not be directly exploitable if the input had conformed to the syntax.
Real-world CVEs
69 recorded CVEs are caused by CWE-1286 (Improper Validation of Syntactic Correctness of Input). The highest-severity and most recent are shown first. 24 new CWE-1286 CVEs have been recorded so far in 2026 (17 in 2025).
- CVE-2025-41719
Sauter: Improper Validation of user-controlled data
High · CVSS 8.8 · EPSS 39th2025-10-22 - CVE-2025-55085
Web http client: Unchecked Server-Side Malicious Packet Issue
High · CVSS 8.8 · EPSS 43th2025-10-17 - CVE-2021-31988High · CVSS 8.8 · EPSS 56th2021-10-05
- CVE-2021-28812High · CVSS 8.8 · EPSS 72th2021-06-03
- CVE-2026-57026
Junos OS: MX Series with SPC3, SRX Series: Processing of a specifically malformed SIP invite causes a flowd crash
High · CVSS 8.7 · EPSS 37th2026-07-09 - CVE-2025-8873
Arista EOS Dataplane Denial of Service via Malformed IPsec Packet
High · CVSS 8.7 · EPSS 31th2026-06-04 - CVE-2026-33778
Junos OS: SRX Series, MX Series: When a specifically malformed first ISAKMP packet is received kmd/iked crashes
High · CVSS 8.7 · EPSS 26th2026-04-09 - CVE-2026-21917
Junos OS: SRX Series: Specifically malformed SSL packet causes FPC crash
High · CVSS 8.7 · EPSS 30th2026-01-15 - CVE-2025-11573
Denial of Service issue in Amazon.IonDotnet
High · CVSS 8.7 · EPSS 33th2025-10-09 - CVE-2024-39542High · CVSS 8.7 · EPSS 38th2024-07-11
- CVE-2024-21598High · CVSS 8.7 · EPSS 43th2024-04-12
- CVE-2026-6442
Improper Command Detection Logic Allows RCE in Cortex Code Command-Line Interface
High · CVSS 8.3 · EPSS 28th2026-04-16
Showing 12 of 69 recorded CWE-1286 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1286 vulnerabilitiesCommon consequences
What can happen when CWE-1286 is exploited.
Varies by Context
Affects: Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1286, grouped by where in the lifecycle they apply.
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code loads and parses an XML file.
Vulnerable example
// Read DOMThe XML file is loaded without validating it against a known XML Schema or DTD.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2016-4029 — Chain: incorrect validation of intended decimal-based IP address format (CWE-1286) enables parsing of octal or hexadecimal formats (CWE-1389), allowing bypass of an SSRF protection mechanism (CWE-918).
- CVE-2007-5893 — HTTP request with missing protocol version number leads to crash
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1286.
- What is CWE-1286?
- The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.
- What CVEs are caused by CWE-1286?
- 69 recorded CVEs are attributed to CWE-1286, including CVE-2025-41719, CVE-2025-55085, CVE-2021-31988.
- How do you prevent CWE-1286?
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- What are the consequences of CWE-1286?
- Exploiting CWE-1286 can lead to: Varies by Context.
- Is CWE-1286 actively exploited?
- 69 recorded CVEs are caused by CWE-1286; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1286) (opens in a new tab)
- CWE-1286 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1286
Get alerted the moment a new CWE-1286 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.