The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

What CVEs are caused by CWE-180?

11 recorded CVEs are attributed to CWE-180, including CVE-2022-26136, CVE-2026-24895, CVE-2022-26137.

Is CWE-180 part of the OWASP Top 10?

CWE-180 maps to OWASP Top Ten 2004: Unvalidated Input (A1) in the OWASP security taxonomy.

How do you prevent CWE-180?

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

What are the consequences of CWE-180?

Exploiting CWE-180 can lead to: Bypass Protection Mechanism.

Is CWE-180 actively exploited?

11 recorded CVEs are caused by CWE-180; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-180: Incorrect Behavior Order: Validate Before Canonicalize

CVE-2026-39364

Vite has a `server.fs.deny` bypass with queries

CWE-180: Incorrect Behavior Order: Validate Before Canonicalize

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code attempts to validate a given input path by checking it against an allowlist and then return the canonical path. In this specific case, the path is considered valid if it starts with the string "/safe_dir/".

Vulnerable example

java

String path = getInputPath();

Safe example

java

String path = getInputPath();

CWE-180: Incorrect Behavior Order: Validate Before Canonicalize

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-180?

What CVEs are caused by CWE-180?

Is CWE-180 part of the OWASP Top 10?

How do you prevent CWE-180?

What are the consequences of CWE-180?

Is CWE-180 actively exploited?

References

Stay ahead of CWE-180

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-180?

What CVEs are caused by CWE-180?

Is CWE-180 part of the OWASP Top 10?

How do you prevent CWE-180?

What are the consequences of CWE-180?

Is CWE-180 actively exploited?

References

Stay ahead of CWE-180