CWE-260: Password in Configuration File
The product stores a password in a configuration file that might be accessible to actors who do not know the password.
Last updated
Overview
This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.
Real-world CVEs
24 recorded CVEs are caused by CWE-260 (Password in Configuration File). The highest-severity and most recent are shown first. 1 new CWE-260 CVE has been recorded so far in 2026 (13 in 2025).
- CVE-2023-53739
Tinycontrol LAN Controller v3 LK3 1.58a Unauthenticated Configuration Backup Disclosure
Critical · CVSS 9.9 · EPSS 43th2025-12-09 - CVE-2025-57754
eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak)
Critical · CVSS 9.8 · EPSS 26th2025-08-21 - CVE-2023-34128Critical · CVSS 9.8 · EPSS 49th2023-07-13