Log inLog in

Variant weakness

Incomplete

CWE-530: Exposure of Backup File to an Unauthorized Control Sphere

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

Last updated May 1, 2026

10

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

Often, older backup files are renamed with an extension such as .~bk to distinguish them from production files. The source code for old files that have been renamed in this manner and left in the webroot can often be retrieved. This renaming may have been performed automatically by the web server, or manually by the administrator.

Real-world CVEs

10 recorded CVEs are caused by CWE-530 (Exposure of Backup File to an Unauthorized Control Sphere). The highest-severity and most recent are shown first. 1 new CWE-530 CVE has been recorded so far in 2026 (3 in 2025).

High · CVSS 7.2

2026-05-27

QKSMS Backup File androidmanifest.xml backup

Low · CVSS 2.4

2024-04-07

CVE-2024-3128

Replify-Messenger Backup File androidmanifest.xml backup

Common consequences

What can happen when CWE-530 is exploited.

Read Application Data

Affects: Confidentiality

At a minimum, an attacker who retrieves this file would have all the information contained in it, whether that be database calls, the format of parameters accepted by the application, or simply information regarding the architectural structure of your site.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Operation

Applies to

Technologies

Web Server

How to prevent it

Practical mitigations for CWE-530, grouped by where in the lifecycle they apply.

Policy

Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2024-7315 — Chain: WordPress plugin does not use sufficient randomness when generating the filename for a backup (CWE-340), allowing attackers to obtain backup files (CWE-530)

Frequently asked questions

Common questions about CWE-530.

What is CWE-530?

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

What CVEs are caused by CWE-530?

10 recorded CVEs are attributed to CWE-530, including CVE-2020-36899, CVE-2024-12330, CVE-2024-56462.

How do you prevent CWE-530?

Recommendations include implementing a security policy within your organization that prohibits backing up web application source code in the webroot.

How is CWE-530 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-530?

Exploiting CWE-530 can lead to: Read Application Data.

Is CWE-530 actively exploited?

10 recorded CVEs are caused by CWE-530; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-530

Get alerted the moment a new CWE-530 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Frequently asked questions

What is CWE-530?

What CVEs are caused by CWE-530?

How do you prevent CWE-530?

How is CWE-530 detected?

What are the consequences of CWE-530?

Is CWE-530 actively exploited?

References

Stay ahead of CWE-530