Base weakness

Incomplete

CWE-1288: Improper Validation of Consistency within Input

The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

Last updated May 1, 2026

19

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Some input data can be structured with multiple elements or fields that must be consistent with each other, e.g. a number-of-items field that is followed by the expected number of elements. When such complex inputs are inconsistent, attackers could trigger unexpected errors, cause incorrect actions to take place, or exploit latent vulnerabilities.

Real-world CVEs

19 recorded CVEs are caused by CWE-1288 (Improper Validation of Consistency within Input). The highest-severity and most recent are shown first. 2 new CWE-1288 CVEs have been recorded so far in 2026 (5 in 2025).

CVE-2025-9999

Improper validation of payload elements

High · CVSS 7.6 · EPSS 11th

2025-09-05

CVE-2024-31136

High · CVSS 7.4 · EPSS 0th

2024-03-28

CVE-2023-32701

Vulnerability in Networking Stack Impacts QNX Software Development Platform (SDP)

High · CVSS 7.1 · EPSS 26th

2023-11-14

CVE-2024-12093

Medium · CVSS 6.8 · EPSS 18th

2025-05-22

CVE-2024-27371

Medium · CVSS 6.7 · EPSS 19th

2024-06-05

CVE-2024-27375

Medium · CVSS 6.7 · EPSS 19th

2024-06-05

CVE-2024-8305

Medium · CVSS 6.5 · EPSS 53th

2024-10-21

CVE-2025-2885

Root metadata version not validated in tough

Medium · CVSS 5.7 · EPSS 49th

2025-03-27

CVE-2024-5953

389-ds-base: malformed userpassword hash may cause denial of service

Medium · CVSS 5.7 · EPSS 31th

2024-06-18

Showing 12 of 19 recorded CWE-1288 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-1288 vulnerabilities

Common consequences

What can happen when CWE-1288 is exploited.

Varies by Context

Affects: Other

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to prevent it

Practical mitigations for CWE-1288, grouped by where in the lifecycle they apply.

Implementation

Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Effectiveness: High

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2018-16733 — product does not validate that the start block appears before the end block
CVE-2006-3790 — size field that is inconsistent with packet size leads to buffer over-read
CVE-2008-4114 — system crash with offset value that is inconsistent with packet size

Frequently asked questions

Common questions about CWE-1288.

What is CWE-1288?

The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

What CVEs are caused by CWE-1288?

19 recorded CVEs are attributed to CWE-1288, including CVE-2024-39515, CVE-2024-25951, CVE-2022-50976.

How do you prevent CWE-1288?

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

What are the consequences of CWE-1288?

Exploiting CWE-1288 can lead to: Varies by Context.

Is CWE-1288 actively exploited?

19 recorded CVEs are caused by CWE-1288; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-1288

Get alerted the moment a new CWE-1288 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing