Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-538 (文件和路径信息暴露) — Vulnerability Class 66

66 vulnerabilities classified as CWE-538 (文件和路径信息暴露). AI Chinese analysis included.

CWE-538 represents a critical data exposure weakness where applications inadvertently store sensitive information in files or directories accessible to unauthorized actors. This vulnerability typically arises when developers fail to enforce strict access controls on storage locations, allowing individuals with basic file system permissions to read confidential data such as credentials, session tokens, or personal identifiable information. Attackers exploit this by navigating to the exposed directory and extracting the unprotected files, often bypassing application-level security measures entirely. To mitigate this risk, developers must implement robust file permission settings, ensuring that sensitive data is stored in restricted directories accessible only to the application process. Additionally, employing encryption for data at rest and utilizing secure, temporary storage mechanisms can prevent unauthorized access, thereby maintaining the confidentiality and integrity of critical information against external threats.

MITRE CWE Description
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Common Consequences (1)
ConfidentialityRead Files or Directories
Mitigations (1)
Architecture and Design, Operation, System ConfigurationDo not expose file and directory information to the user.
Examples (1)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-54346 WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download — WordPress Plugin Backup Migration 7.5 High2026-05-05
CVE-2026-7071 CodeAstro Online Job Portal user-cvs file information disclosure — Online Job Portal 5.3 Medium2026-04-27
CVE-2026-6160 code-projects Simple ChatBox Endpoint chatbox.sql SimpleChatbox_PHP file information disclosure — Simple ChatBox 5.3 Medium2026-04-13
CVE-2019-25706 Across DR-810 ROM-0 Unauthenticated File Disclosure — DR-810 7.5 High2026-04-12
CVE-2026-33705 Chamilo LMS has unauthenticated access to Twig template source files exposes application logic — chamilo-lms 5.3 Medium2026-04-10
CVE-2025-36051 IBM QRadar SIEM Information Disclosure — QRadar SIEM 6.2 Medium2026-03-19
CVE-2016-20024 ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions Privilege Escalation — ZKTeco ZKTime.Net 9.8 Critical2026-03-15
CVE-2026-21672 Veeam Backup And Recovery 安全漏洞 — Backup and Replication 7.8AIHighAI2026-03-12
CVE-2026-2817 Spring Data Geode Insecure Temporary Directory Usage — Spring Data Geode 4.4 Medium2026-02-19
CVE-2020-37104 ASTPP 4.0.1 VoIP Billing - Database Backup Download — ASTPP 7.5 High2026-02-11
CVE-2025-12059 Improper Access Control in Logo Software's Logo j-Platform — Logo j-Platform 9.8 Critical2026-02-11
CVE-2025-12699 ZOLL ePCR IOS Mobile Application Insertion of Sensitive Information into Externally-Accessible File or Directory — ZOLL ePCR IOS Mobile Application 5.5 Medium2026-02-10
CVE-2025-36058 Multiple security vulnerabilities are addressed in IBM Business Automation Workflow Containers fixes December 2025 — Business Automation Workflow containers 5.5 Medium2026-01-20
CVE-2026-23838 Tandoor Recipes module allows SQLite database to be externally accessible with the default settings — nixpkgs 7.5AIHighAI2026-01-19
CVE-2021-4471 TG8 Firewall Unauthenticated User Password Disclosure — TG8 Firewall 7.5 -2025-11-14
CVE-2016-15056 Ubee EVW3226 Unauthenticated Backup File Disclosure — Ubee EVW3226 9.8 -2025-11-14
CVE-2025-11891 Shelf Planner <= 2.8.1 - Unauthenticated Information Exposure via Log Files — Shelf Planner Inventory Management for WooCommerce 5.3 Medium2025-11-11
CVE-2025-46602 Dell SupportAssist OS Recovery 安全漏洞 — SupportAssist OS Recovery 4.4 Medium2025-10-27
CVE-2025-11079 Campcodes Farm Management System file information disclosure — Farm Management System 5.3 Medium2025-09-27
CVE-2025-57734 JetBrains TeamCity 安全漏洞 — TeamCity 4.3 Medium2025-08-20
CVE-2025-8452 Unauthenticated leak of sensitive information affecting multiple models from Brother Industries, Ltd., Toshiba Tec, and Konica Minolta, Inc. — DCP-L8410CDW 4.3 Medium2025-08-12
CVE-2024-51977 Unauthenticated leak of sensitive information affecting multiple models from Brother Industries, Ltd., FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc. — HL-L8260CDN 5.3 Medium2025-06-25
CVE-2025-20665 MediaTek Chipsets 安全漏洞 — MT6580, MT6761, MT6765, MT6768, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6855, MT6873, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6983, MT6985, MT8175, MT8195, MT8196, MT8321, MT8365, MT8370, MT8385, MT8390, MT8395, MT8666, MT8667, MT8673, MT8678, MT8765, MT8766, MT8768, MT8771, MT8775, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791T, MT8795T, MT8796, MT8797, MT8798, MT8893 5.5AIMediumAI2025-05-05
CVE-2025-31421 WordPress Srbtranslatin plugin <= 3.2.0 - Sensitive Data Exposure vulnerability — Srbtranslatin 5.8 Medium2025-04-04
CVE-2025-31558 WordPress TailPress plugin <= 0.4.4 - Sensitive Data Exposure vulnerability — TailPress 5.8 Medium2025-04-03
CVE-2025-31550 WordPress WP-LESS plugin <= 1.9.6 - Sensitive Data Exposure vulnerability — WP-LESS 5.8 Medium2025-04-01
CVE-2025-27017 Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record — Apache NiFi 6.5 -2025-03-12
CVE-2025-27150 Tuleap dumps the Redis password into the generated troubleshooting archives — tuleap 5.3 Medium2025-03-04
CVE-2025-22633 WordPress Give – Divi Donation Modules plugin <= 2.0.0 - Sensitive Data Exposure vulnerability — Give – Divi Donation Modules 5.8 Medium2025-02-23
CVE-2025-24689 WordPress Import and export users and customers plugin 1.27.12 - Sensitive Data Exposure vulnerability — Import and export users and customers 5.9 Medium2025-01-27

Vulnerabilities classified as CWE-538 (文件和路径信息暴露) represent 66 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.