BaseIncomplete

CWE-540Inclusion of Sensitive Information in Source Code

Category: data-exposure

Description

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.

Common consequences· 1

  • Confidentiality — Read Application Data

Potential mitigations· 1

  • [Architecture and Design, System Configuration]Recommendations include removing this script from the web server and moving it to a location not accessible from the Internet.

References

  1. https://cwe.mitre.org/data/definitions/540.html

Compliance frameworks addressing this (incoming)1

TypeTargetConfidenceTier
ComplianceControlowasp_llm_top10-llm02100%live

(incoming)2

TypeTargetConfidenceTier
VulnerabilityCVE-2025-26013cve-2025-260130%live
VulnerabilityCVE-2025-49182cve-2025-491820%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Inclusion of Sensitive Information in Source Code Comments
CWE
Inclusion of Sensitive Information in an Include File
CWE
Inclusion of Sensitive Information in Test Code
CWE
Unparsed Raw Web Content Delivery
CWE
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE
Exposure of Version-Control Repository to an Unauthorized Control Sphere
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.