H3-2026-0039¶

Directory Listing Exposed to Unauthenticated Users

Description¶

A web server returned an index of a directory's contents to an unauthenticated client in a publicly accessible response.

Impact¶

An attacker can read the directory listing to enumerate internal files. This unintended exposure can accidentally reveal source code, backup and archive files, configuration artifacts, or other internal material that the listing makes directly reachable.

References¶

• CWE-548: Exposure of Information Through Directory Listing
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• OWASP Top Ten: Security Misconfiguration