Base weakness

Incomplete

CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

Last updated May 1, 2026

2

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).

Real-world CVEs

2 recorded CVEs are caused by CWE-652 (Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')). The highest-severity and most recent are shown first.

Common consequences

What can happen when CWE-652 is exploited.

Read Application Data

Affects: Confidentiality

An attacker might be able to read sensitive information from the XML database.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

How to prevent it

Practical mitigations for CWE-652, grouped by where in the lifecycle they apply.

Implementation

Use parameterized queries. This will help ensure separation between data plane and control plane.

Implementation

Properly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XQL queries is safe in that context.

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

An attacker may pass XQuery expressions embedded in an otherwise standard XML document. The attacker tunnels through the application entry point to target the resource access layer. The string below is an example of an attacker accessing the accounts.xml to request the service provider send all user names back. doc(accounts.xml)//user[name='*'] The attacks that are possible through XQuery are difficult to predict, if the data is not validated prior to executing the XQL.

Terminology & mappings

Mapped taxonomies

WASC: XQuery Injection (46)
Software Fault Patterns: Tainted input to command (SFP24)

Frequently asked questions

Common questions about CWE-652.

What is CWE-652?

The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

What CVEs are caused by CWE-652?

2 recorded CVEs are attributed to CWE-652, including CVE-2023-28676, CVE-2023-25015.

How do you prevent CWE-652?

Use parameterized queries. This will help ensure separation between data plane and control plane.

What are the consequences of CWE-652?

Exploiting CWE-652 can lead to: Read Application Data.

Is CWE-652 actively exploited?

2 recorded CVEs are caused by CWE-652; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-652

Get alerted the moment a new CWE-652 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

When it is introduced

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-652?

What CVEs are caused by CWE-652?

How do you prevent CWE-652?

What are the consequences of CWE-652?

Is CWE-652 actively exploited?

References

Stay ahead of CWE-652