CWE · MITRE source
CWE-538Insertion of Sensitive Information into Externally-Accessible File or Directory
The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (8)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
RA-2 | Security Categorization | RA | Approved categorization forces identification of externally accessible files that contain sensitive content so they receive proper protection. |
RA-8 | Privacy Impact Assessments | RA | The pre-implementation review identifies externally accessible files or directories containing PII and drives access restrictions or removal. |
AC-22 | Publicly Accessible Content | AC | Pre- and post-publication reviews prevent insertion of sensitive information into externally-accessible public locations. |
AU-13 | Monitoring for Information Disclosure | AU | Monitors for sensitive information placed in externally accessible files or directories. |
CM-13 | Data Action Mapping | CM | The map shows if data actions result in sensitive information being placed in externally accessible locations. |
IR-9 | Information Spillage Response | IR | Isolation and eradication reduce the ability to exploit sensitive information inserted into externally-accessible files or directories. |
SI-20 | Tainting | SI | Tainting makes it possible to determine when sensitive data has been removed from externally accessible files or directories. |
SR-7 | Supply Chain Operations Security | SR | OPSEC practices stop placement of supply-chain information into locations accessible to external parties. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2024-51977 | 4.0 | 5.3 | 0.4868 | 2025-06-25 |
CVE-2023-28444 | 2.0 | 9.9 | 0.0045 | 2023-03-24 |
CVE-2023-7062 | 2.0 | 8.8 | 0.0329 | 2024-07-10 |
CVE-2025-12059 | 2.0 | 9.8 | 0.0006 | 2026-02-11 |
CVE-2016-20024 | 2.0 | 9.8 | 0.0003 | 2026-03-16 |
CVE-2022-23508 | 1.8 | 8.8 | 0.0005 | 2023-01-09 |
CVE-2023-46723 | 1.8 | 8.9 | 0.0020 | 2023-10-31 |
CVE-2024-22433 | 1.8 | 8.8 | 0.0022 | 2024-02-06 |
CVE-2017-9947 | 1.7 | 5.3 | 0.0996 | 2017-10-23 |
CVE-2021-21250 | 1.6 | 7.7 | 0.0029 | 2021-01-15 |
CVE-2021-40363 | 1.6 | 7.8 | 0.0003 | 2022-02-09 |
CVE-2022-4318 | 1.6 | 7.8 | 0.0004 | 2023-09-25 |
CVE-2016-10399 | 1.5 | 7.5 | 0.0028 | 2017-07-27 |
CVE-2018-10590 | 1.5 | 7.5 | 0.0043 | 2018-05-15 |
CVE-2019-6851 | 1.5 | 7.5 | 0.0044 | 2019-10-29 |
CVE-2023-4595 | 1.5 | 7.5 | 0.0008 | 2023-11-23 |
CVE-2024-22045 | 1.5 | 7.6 | 0.0036 | 2024-03-12 |
CVE-2024-31954 | 1.5 | 7.3 | 0.0008 | 2024-05-14 |
CVE-2025-61138 | 1.5 | 7.5 | 0.0004 | 2025-11-20 |
CVE-2025-68429 | 1.5 | 7.3 | 0.0002 | 2025-12-17 |
CVE-2020-37104 | 1.5 | 7.5 | 0.0006 | 2026-02-11 |
CVE-2019-25706 | 1.5 | 7.5 | 0.0005 | 2026-04-12 |
CVE-2023-54346 | 1.5 | 7.5 | 0.0004 | 2026-05-05 |
CVE-2024-47579 | 1.4 | 6.8 | 0.0016 | 2024-12-10 |
CVE-2024-47580 | 1.4 | 6.8 | 0.0016 | 2024-12-10 |