CWE · MITRE source
CWE-538Insertion of Sensitive Information into Externally-Accessible File or Directory
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 8 mapping(s) from 6 framework(s): ASVS 5.0 2 (full) · ATT&CK 2 (mostly) · OWASP-Web 1 (mostly) · CAPEC 1 (partial) · STIG oracle linux 8 1 (partial) · STIG rhel 8 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (8)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
RA-2 | Security Categorization | RA | Approved categorization forces identification of externally accessible files that contain sensitive content so they receive proper protection. |
RA-8 | Privacy Impact Assessments | RA | The pre-implementation review identifies externally accessible files or directories containing PII and drives access restrictions or removal. |
AC-22 | Publicly Accessible Content | AC | Pre- and post-publication reviews prevent insertion of sensitive information into externally-accessible public locations. |
AU-13 | Monitoring for Information Disclosure | AU | Monitors for sensitive information placed in externally accessible files or directories. |
CM-13 | Data Action Mapping | CM | The map shows if data actions result in sensitive information being placed in externally accessible locations. |
IR-9 | Information Spillage Response | IR | Isolation and eradication reduce the ability to exploit sensitive information inserted into externally-accessible files or directories. |
SI-20 | Tainting | SI | Tainting makes it possible to determine when sensitive data has been removed from externally accessible files or directories. |
SR-7 | Supply Chain Operations Security | SR | OPSEC practices stop placement of supply-chain information into locations accessible to external parties. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-51977 UPD | 8.0 | 5.3 | 0.7656 | 2025-06-25 |
CVE-2023-28444 | 7.0 | 9.9 | 0.0076 | 2023-03-24 |
CVE-2025-12059 UPD | 7.0 | 9.8 | 0.0031 | 2026-02-11 |
CVE-2016-20024 UPD | 7.0 | 9.8 | 0.0073 | 2026-03-16 |
CVE-2019-6851 | 6.0 | 7.5 | 0.2989 | 2019-10-29 |
CVE-2016-10399 | 5.5 | 7.5 | 0.0141 | 2017-07-27 |
CVE-2018-10590 | 5.5 | 7.5 | 0.0171 | 2018-05-15 |
CVE-2021-21250 | 5.5 | 7.7 | 0.0093 | 2021-01-15 |
CVE-2021-40363 | 5.5 | 7.8 | 0.0016 | 2022-02-09 |
CVE-2022-23508 | 5.5 | 8.8 | 0.0032 | 2023-01-09 |
CVE-2022-4318 | 5.5 | 7.8 | 0.0027 | 2023-09-25 |
CVE-2023-46723 | 5.5 | 8.9 | 0.0040 | 2023-10-31 |
CVE-2023-4595 | 5.5 | 7.5 | 0.0072 | 2023-11-23 |
CVE-2024-22433 UPD | 5.5 | 8.8 | 0.0064 | 2024-02-06 |
CVE-2024-22045 UPD | 5.5 | 7.6 | 0.0043 | 2024-03-12 |
CVE-2024-31954 | 5.5 | 7.3 | 0.0021 | 2024-05-14 |
CVE-2023-7062 | 5.5 | 8.8 | 0.0072 | 2024-07-10 |
CVE-2025-46820 UPD | 5.5 | 7.1 | 0.0016 | 2025-05-06 |
CVE-2025-61138 | 5.5 | 7.5 | 0.0025 | 2025-11-20 |
CVE-2025-68429 | 5.5 | 7.3 | 0.0024 | 2025-12-17 |
CVE-2020-37104 | 5.5 | 7.5 | 0.0056 | 2026-02-11 |
CVE-2026-21672 | 5.5 | 8.8 | 0.0022 | 2026-03-12 |
CVE-2019-25706 | 5.5 | 7.5 | 0.0053 | 2026-04-12 |
CVE-2023-54346 UPD | 5.5 | 7.5 | 0.0031 | 2026-05-05 |
CVE-2026-27173 UPD | 5.5 | 8.7 | 0.0016 | 2026-05-19 |