CWE · MITRE source
CWE-540Inclusion of Sensitive Information in Source Code
Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 4 mapping(s) from 1 framework(s): ATT&CK 4 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (3)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
IR-9 | Information Spillage Response | IR | Detection and removal of spilled information addresses cases where sensitive data was included in source code. |
SA-21 | Developer Screening | SA | Screening helps prevent intentional insertion of sensitive information into source code by untrusted developers. |
SC-38 | Operations Security | SC | Prevents inclusion of sensitive information in source code and development artifacts through SDLC-wide OPSEC controls. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2021-28805 | 5.5 | 7.8 | 0.0024 | 2021-06-11 |
CVE-2023-39250 | 5.5 | 7.8 | 0.0014 | 2023-08-16 |
CVE-2024-1272 UPD | 5.5 | 7.5 | 0.0038 | 2024-06-05 |
CVE-2024-38647 | 5.5 | 7.5 | 0.0064 | 2024-11-22 |
CVE-2025-26013 | 5.5 | 8.2 | 0.0039 | 2025-02-21 |
CVE-2025-49182 UPD | 5.5 | 7.5 | 0.0047 | 2025-06-12 |
CVE-2026-4155 | 5.5 | 7.5 | 0.0057 | 2026-04-11 |
CVE-2026-45728 UPD | 5.5 | 7.5 | 0.0030 | 2026-05-26 |
CVE-2021-1516 | 3.5 | 4.3 | 0.0116 | 2021-05-06 |
CVE-2021-34638 | 3.5 | 6.5 | 0.0133 | 2021-08-05 |
CVE-2021-34744 | 3.5 | 4.9 | 0.0073 | 2021-10-06 |
CVE-2021-34757 | 3.5 | 4.9 | 0.0060 | 2021-10-06 |
CVE-2023-23448 | 3.5 | 5.3 | 0.0078 | 2023-05-15 |
CVE-2023-30802 | 3.5 | 5.3 | 0.0065 | 2023-10-10 |
CVE-2024-2265 UPD | 3.5 | 5.3 | 0.0083 | 2024-03-07 |
CVE-2024-39729 | 3.5 | 4.3 | 0.0041 | 2024-07-15 |
CVE-2024-27257 | 3.5 | 4.3 | 0.0030 | 2024-09-10 |
CVE-2024-35144 | 3.5 | 5.3 | 0.0029 | 2025-01-25 |
CVE-2025-0923 UPD | 3.5 | 5.3 | 0.0024 | 2025-06-11 |
CVE-2024-38327 UPD | 3.5 | 6.8 | 0.0028 | 2025-07-10 |
CVE-2025-36299 | 3.5 | 4.3 | 0.0019 | 2025-11-17 |
CVE-2026-22275 | 3.5 | 4.4 | 0.0013 | 2026-01-23 |
CVE-2026-35383 | 3.5 | 6.5 | 0.0028 | 2026-04-02 |
CVE-2023-35013 | 1.5 | 2.3 | 0.0017 | 2023-10-16 |
CVE-2024-2355 UPD | 1.5 | 3.7 | 0.0064 | 2024-03-10 |