Variant weakness

Draft

CWE-548: Exposure of Information Through Directory Listing

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

Last updated May 1, 2026

55

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Variant

Abstraction

MITRE classification

Overview

CWE-548 (Exposure of Information Through Directory Listing) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

55 recorded CVEs are caused by CWE-548 (Exposure of Information Through Directory Listing). The highest-severity and most recent are shown first. 5 new CWE-548 CVEs have been recorded so far in 2026 (20 in 2025).

Showing 12 of 55 recorded CWE-548 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-548 vulnerabilities

Common consequences

What can happen when CWE-548 is exploited.

Read Files or Directories

Affects: Confidentiality

Exposing the contents of a directory can lead to an attacker gaining access to source code or providing useful information for the attacker to devise exploits, such as creation times of files or any information that may be encoded in file names. The directory listing may also compromise private or confidential data.

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

Operation

How to prevent it

Practical mitigations for CWE-548, grouped by where in the lifecycle they apply.

Architecture and Design

System Configuration

Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Effectiveness: High

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2023-37599 — web interface is configured to allow directory listing of a module path

Terminology & mappings

Mapped taxonomies

OWASP Top Ten 2004: Insecure Configuration Management (A10) — CWE More Specific fit
WASC: Directory Indexing (16)

Frequently asked questions

Common questions about CWE-548.

What is CWE-548?

The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory.

What CVEs are caused by CWE-548?

55 recorded CVEs are attributed to CWE-548, including CVE-2021-47718, CVE-2025-28170, CVE-2025-32750.

Is CWE-548 part of the OWASP Top 10?

CWE-548 maps to OWASP Top Ten 2004: Insecure Configuration Management (A10) in the OWASP security taxonomy.

How do you prevent CWE-548?

Recommendations include restricting access to important directories or files by adopting a need to know requirement for both the document and server root, and turning off features such as Automatic Directory Listings that could expose private files and provide information that could be utilized by an attacker when formulating or conducting an attack.

How is CWE-548 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-548?

Exploiting CWE-548 can lead to: Read Files or Directories.

Is CWE-548 actively exploited?

55 recorded CVEs are caused by CWE-548; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-548

Get alerted the moment a new CWE-548 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Real-world CVEs

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-548?

What CVEs are caused by CWE-548?

Is CWE-548 part of the OWASP Top 10?

How do you prevent CWE-548?

How is CWE-548 detected?

What are the consequences of CWE-548?

Is CWE-548 actively exploited?

References

Stay ahead of CWE-548