Home/CWE/Improper Control of Resource Identifiers ('Resource Injection')
Weakness

Improper Control of Resource Identifiers ('Resource Injection')

CWE-99 · Class · Draft

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

Extended description

A resource injection issue occurs when the following two conditions are met: An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify part of the name of a file to be opened or a port number to be used. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.

For example, the program may give the attacker the ability to overwrite the specified file, run with a configuration controlled by the attacker, or transmit sensitive information to a third-party server. This may enable an attacker to access or modify otherwise protected system resources.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Children (more specific)
ParentOfCWE-641 · Improper Restriction of Names for Files and Other Resources
ParentOfCWE-694 · Use of Multiple Resources with Duplicate Identifier
ParentOfCWE-914 · Improper Control of Dynamically-Identified Variables
Related
PeerOfCWE-706 · Use of Incorrectly-Resolved Name or Reference
CanAlsoBeCWE-73 · External Control of File Name or Path

Attack Patterns (CAPEC)

3
How adversaries exploit this weakness, per MITRE CAPEC.
CAPEC-10Buffer Overflow via Environment Variables
CAPEC-240Resource Injection
CAPEC-75Manipulating Writeable Configuration Files

CVEs With This Weakness

51
A sample of the 51 CVEs tagged with this weakness.
CVECVE-2026-7303
CVECVE-2026-5414
CVECVE-2026-5031
CVECVE-2026-3693
CVECVE-2026-33603
CVECVE-2025-9619
CVECVE-2025-9264
CVECVE-2025-9263
CVECVE-2025-8793
CVECVE-2025-6534
CVECVE-2025-43491
CVECVE-2025-3855

Nuclei Scanner Templates

6
Open-source Nuclei templates that detect this weakness class - an actionable scan-for-it pivot. Licensed under the ProjectDiscovery / Nuclei terms.
criticalZimbra Collaboration Suite - Server-Side Request Forgery
criticalApache Solr 9.1 - Remote Code Execution
highSplash Render - SSRF
highUnder Construction, Coming Soon & Maintenance Mode < 1.1.2 - Server Side Request Forgery (SSRF)
mediumUEditor - Server Side Request Forgery
mediumWordpress Jetpack plugin - Server Side Request Forgery
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin