Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

What CVEs are caused by CWE-540?

27 recorded CVEs are attributed to CWE-540, including CVE-2025-26013, CVE-2024-38647, CVE-2023-39250.

How do you prevent CWE-540?

Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.

How is CWE-540 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-540?

Exploiting CWE-540 can lead to: Read Application Data.

Is CWE-540 actively exploited?

27 recorded CVEs are caused by CWE-540; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-540: Inclusion of Sensitive Information in Source Code

CVE-2021-28805

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code uses an include file to store database credentials:

Vulnerable example

php

<?php

Vulnerable example

php

<?php

The following comment, embedded in a JSP, will be displayed in the resulting HTML output.

Vulnerable example

jsp

<!-- FIXME: calling this with more than 30 args kills the JDBC server -->

CWE-540: Inclusion of Sensitive Information in Source Code

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Frequently asked questions

What is CWE-540?

What CVEs are caused by CWE-540?

How do you prevent CWE-540?

How is CWE-540 detected?

What are the consequences of CWE-540?

Is CWE-540 actively exploited?

References

Stay ahead of CWE-540

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Frequently asked questions

What is CWE-540?

What CVEs are caused by CWE-540?

How do you prevent CWE-540?

How is CWE-540 detected?

What are the consequences of CWE-540?

Is CWE-540 actively exploited?

References

Stay ahead of CWE-540