CWE-540: Inclusion of Sensitive Information in Source Code
Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
Last updated
Overview
There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.
Real-world CVEs
27 recorded CVEs are caused by CWE-540 (Inclusion of Sensitive Information in Source Code). The highest-severity and most recent are shown first. 3 new CWE-540 CVEs have been recorded so far in 2026 (8 in 2025).
- CVE-2024-38327
IBM Analytics Content Hub information disclosure
Critical · CVSS 9.8 · EPSS 20th2025-07-10 - CVE-2025-49182
Credential disclosure
Critical · CVSS 9.8 · EPSS 37th2025-06-12 - CVE-2025-26013High · CVSS 8.2 · EPSS 31th2025-02-21
- CVE-2024-38647High · CVSS 7.9 · EPSS 47th2024-11-22
- CVE-2023-39250High · CVSS 7.8 · EPSS 3th2023-08-16
- CVE-2021-28805High · CVSS 7.8 · EPSS 15th2021-06-11
- CVE-2026-4155
ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability
High · CVSS 7.5 · EPSS 43th2026-04-11 - CVE-2024-1272
Information Disclosure to Source Code in TNB Mobile Solutions' Cockpit Software
High · CVSS 7.5 · EPSS 31th2024-06-05 - CVE-2024-2265High · CVSS 7.5 · EPSS 53th2024-03-07
- CVE-2026-35383
Bentley Systems iTwin Platform exposed access token
Medium · CVSS 6.9 · EPSS 20th2026-04-02 - CVE-2021-1516Medium · CVSS 6.5 · EPSS 63th2021-05-06
- CVE-2021-34757Medium · CVSS 5.5 · EPSS 45th2021-10-06
Showing 12 of 27 recorded CWE-540 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-540 vulnerabilitiesCommon consequences
What can happen when CWE-540 is exploited.
Read Application Data
Affects: Confidentiality
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-540, grouped by where in the lifecycle they apply.
Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code uses an include file to store database credentials:
Vulnerable example
<?phpVulnerable example
<?phpThe following comment, embedded in a JSP, will be displayed in the resulting HTML output.
Vulnerable example
<!-- FIXME: calling this with more than 30 args kills the JDBC server -->Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-25512 — Server for Team Awareness Kit (TAK) application includes sensitive tokens in the JavaScript source code.
- CVE-2022-24867 — The LDAP password might be visible in the html code of a rendered page in an IT Asset Management tool.
- CVE-2007-6197 — Version numbers and internal hostnames leaked in HTML comments.
Frequently asked questions
Common questions about CWE-540.
- What is CWE-540?
- Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
- What CVEs are caused by CWE-540?
- 27 recorded CVEs are attributed to CWE-540, including CVE-2024-38327, CVE-2025-49182, CVE-2025-26013.
- How do you prevent CWE-540?
- Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.
- How is CWE-540 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-540?
- Exploiting CWE-540 can lead to: Read Application Data.
- Is CWE-540 actively exploited?
- 27 recorded CVEs are caused by CWE-540; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-540) (opens in a new tab)
- CWE-540 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-540
Get alerted the moment a new CWE-540 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.