- What is CWE-90?
- The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
- What CVEs are caused by CWE-90?
- 54 recorded CVEs are attributed to CWE-90, including CVE-2026-44930, CVE-2026-33289, CVE-2024-54852.
- Is CWE-90 part of the OWASP Top 10?
- CWE-90 maps to OWASP Top Ten 2007: Injection Flaws (A2) in the OWASP security taxonomy.
- How do you prevent CWE-90?
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- How is CWE-90 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-90?
- Exploiting CWE-90 can lead to: Execute Unauthorized Code or Commands, Read Application Data, Modify Application Data.
- Is CWE-90 actively exploited?
- 54 recorded CVEs are caused by CWE-90; none are currently in CISA's KEV catalog of actively exploited flaws.