Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-540 (通过源代码导致的信息暴露) — Vulnerability Class 26

26 vulnerabilities classified as CWE-540 (通过源代码导致的信息暴露). AI Chinese analysis included.

CWE-540 represents a critical information disclosure weakness where sensitive data, such as hardcoded credentials, API keys, or internal logic, is inadvertently embedded directly within source code files. This vulnerability is typically exploited by attackers who gain access to the application’s source repository or web-accessible directories, allowing them to extract confidential secrets without needing to reverse-engineer compiled binaries. Once obtained, this information facilitates further attacks, including unauthorized access, privilege escalation, or the identification of additional code vulnerabilities. To mitigate this risk, developers must strictly separate configuration data from application logic by utilizing secure environment variables or dedicated secret management services. Additionally, implementing robust access controls on version control systems and conducting regular code reviews to detect hardcoded secrets are essential practices for preventing accidental exposure of sensitive information.

MITRE CWE Description
Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. There are situations where it is critical to remove source code from an area or server. For example, obtaining Perl source code on a system allows an attacker to understand the logic of the script and extract extremely useful information such as code bugs or logins and passwords.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (1)
Architecture and Design, System ConfigurationRecommendations include removing this script from the web server and moving it to a location not accessible from the Internet.
Examples (2)
The following code uses an include file to store database credentials:
<?php $dbName = 'usersDB'; $dbPassword = 'skjdh#67nkjd3$3$'; ?>
Bad · PHP
<?php include('database.inc'); $db = connectToDB($dbName, $dbPassword); $db.authenticateUser($username, $password); ?>
Bad · PHP
The following comment, embedded in a JSP, will be displayed in the resulting HTML output.
<!-- FIXME: calling this with more than 30 args kills the JDBC server -->
Bad · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2026-4155 ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability — Home Flex 7.5AIHighAI2026-04-11
CVE-2026-35383 Bentley Systems iTwin Platform exposed access token — iTwin Platform 6.5 Medium2026-04-02
CVE-2026-22275 Dell ECS 安全漏洞 — ObjectScale 4.4 Medium2026-01-23
CVE-2025-36299 IBM Planning Analytics Information Disclosure — IBM Planning Analytics Local 4.3 Medium2025-11-17
CVE-2024-38327 IBM Analytics Content Hub information disclosure — Analytics Content Hub 6.8 Medium2025-07-10
CVE-2025-49182 Credential disclosure — SICK Media Server 7.5 High2025-06-12
CVE-2025-0923 IBM Cognos Analytics information disclosure — Cognos Analytics 5.3 Medium2025-06-11
CVE-2025-3403 Vivotek NVR ND8422P/NVR ND9525P/NVR ND9541P HTML Form sensitive information in source — NVR ND8422P 2.7 Low2025-04-08
CVE-2024-55907 IBM Cognos Mobile information disclosure — Cognos Analytics Mobile 2.0 Low2025-03-02
CVE-2024-35144 IBM Maximo Application Suite information disclosure — Maximo Application Suite 5.3 Medium2025-01-25
CVE-2024-38647 QNAP AI Core — QNAP AI Core 9.1 -2024-11-22
CVE-2024-9596 Inclusion of Sensitive Information in Source Code in GitLab — GitLab 3.7 Low2024-10-10
CVE-2024-27257 IBM OpenPages information disclosure — OpenPages 4.3 Medium2024-09-10
CVE-2024-8417 云课网络科技有限公司 Yunke Online School System videobind.html sensitive information in source — Yunke Online School System 3.1 Low2024-09-04
CVE-2024-39729 IBM Datacap Navigator information disclosure — Datacap Navigator 4.3 Medium2024-07-15
CVE-2024-1272 Information Disclosure to Source Code in TNB Mobile Solutions' Cockpit Software — Cockpit Software 7.5 High2024-06-05
CVE-2024-2355 keerti1924 Secret-Coder-PHP-Project secret_coder.sql inclusion of sensitive information in source code — Secret-Coder-PHP-Project 3.7 Low2024-03-10
CVE-2024-2265 keerti1924 PHP-MYSQL-User-Login-System login.sql inclusion of sensitive information in source code — PHP-MYSQL-User-Login-System 5.3 Medium2024-03-07
CVE-2023-35013 IBM Security Verify Governance information disclosure — Security Verify Governance 2.3 Low2023-10-15
CVE-2023-30802 Sangfor Next-Gen Application Firewall Source Code Disclosure — Net-Gen Application Firewall 5.3 Medium2023-10-10
CVE-2023-39250 Dell Storage Integration Tools for VMware 信息泄露漏洞 — Dell Storage Integration Tools for VMware (DSITV), Dell Storage vSphere Client Plugin (DSVCP), Replay Manager for VMware (RMSV) 7.8 High2023-08-16
CVE-2023-23448 SICK FTMg 安全漏洞 — SICK FTMG-ESD15AXX AIR FLOW SENSOR 5.3 Medium2023-05-15
CVE-2021-34744 Cisco Business 220 Series Smart Switches Static Key and Password Vulnerabilities — Cisco Small Business 220 Series Smart Plus Switches 4.9 Medium2021-10-06
CVE-2021-34757 Cisco Business 220 Series Smart Switches Static Key and Password Vulnerabilities — Cisco Small Business 220 Series Smart Plus Switches 4.9 Medium2021-10-06
CVE-2021-28805 Inclusion of Sensitive Information in QSS — QSS 7.8 High2021-06-11
CVE-2021-1516 Cisco Content Security Management Appliance, Email Security Appliance, and Web Security Appliance Information Disclosure Vulnerability — Cisco Web Security Appliance (WSA) 4.3 Medium2021-05-06

Vulnerabilities classified as CWE-540 (通过源代码导致的信息暴露) represent 26 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.