Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by multiple vulnerabilities in qs (CVE-2025-15284, CVE-2026-2391)

Summary Multiple vulnerabilities in the qs query string parsing library used by IBM InfoSphere Optim Archive Viewer have been addressed by upgrading the library to version 6.14.2. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules...

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.7.0 Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI...

Security Bulletin: IBM Maximo Application Suite uses multiple third party dependencies which is vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite uses qs-6.13.0.tgz, qs-6.14.0.tgz, pygments-2.19.2-py3-none-any.whl, and cryptography-46.0.5-cp311-abi3-manylinux234x8664.whl, which are vulnerable to CVE-2025-15284, CVE-2026-2391, CVE-2026-4539, and CVE-2026-34073. This bulletin contains information regardin...

Security Bulletin: DevOps Test Performance contains a vulnerabilty related to use of the qs library

Summary Due to the use of the qs library, DevOps Test Performance and Rational Performance Tester contain a potential denial-of-service vulnerability. Vulnerability Details CVEID:CVE-2026-2391 DESCRIPTION: Summary The arrayLimit option in qs does not enforce limits for comma-separated values when...

CLEANSTART-2026-DU32240 Security fixes for CVE-2026-2391, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802, ghsa-34x7-hfp2-rc4v, ghsa-5359-pvf2-pw78, ghsa-73rr-hh4g-fpgx, ghsa-8qq5-rm4j-mr97, ghsa-r6q2-hw4h-h46w applied in versions: 4.2.1.1-r1, 4.2.1.1-r2, 4.3.0.1-r0, 4.3.1-r0

Multiple security vulnerabilities affect the thingsboard-tb-web-ui package. These issues are resolved in later releases. See references for individual vulnerability details...

Security Bulletin: Vulnerability affects IBM watsonx Orchestrate with watsonx Assistant Cartridge

Summary Potential vulnerability has been identified that affects IBM watsonx Orchestrate with watsonx Assistant Cartridge - UAB Component. The vulnerability has been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2026-2391 DESCRIPTION: Summary The arrayLim...

CVE-2026-2391 vulnerabilities

Vulnerabilities for packages: thingsboard, json-server, opensearch-dashboards, code-server, sqlpad, tileserver-gl, langfuse, kubeflow-pipelines, saf, argo-workflows, kubeflow-centraldashboard...

CVE-2026-2391 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, librechat, saf, code-server, langfuse-fips, opensearch-dashboards, redisinsight, kubeflow-pipelines, json-server, sqlpad, tileserver-gl-fips, langfuse, argo-workflows, tileserver-gl, thingsboard-fips, opensearch-dashboards-fips, thingsboard...

Linux Distros Unpatched Vulnerability : CVE-2026-2391

"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-servi...

AZL-77597 CVE-2026-2391 affecting package nodejs-nodemon 2.0.3-5

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

DEBIAN-CVE-2026-2391

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

CVE-2026-2391

creationtimestamp| type| source ---|---|--- 2026-02-12 04:39:47+00:00| published-proof-of-concept| https://github.com/ljharb/qs/security/advisories/GHSA-w7fw-mjwx-w883 2026-02-12 17:40:24+00:00| seen| https://gist.github.com/alon710/c6963cc90ba7a2a5c311d6e3cd8e6558 2026-02-19 12:48:01+00:00| seen...

CVE-2026-2391

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

CVE-2026-2391

CVE-2026-2391 : The qs library vulnerability arises when using comma parsing (comma: true). The code bypasses the arrayLimit check by returning val.split(',') before the limit, allowing creation of very large arrays from a single parameter (e.g., ?param=a,b,c with a high density of commas). This ...

MiracleLinux 8 : ruby:2.7 (AXSA:2021-2391:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2391:01 advisory. ruby: Potential HTTP request smuggling in WEBrick CVE-2020-25613 ruby: XML round-trip vulnerability in REXML CVE-2021-28965 Tenable has extracted th...

EUVD-2026-2391

SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application...

Linux Distros Unpatched Vulnerability : CVE-2019-2391

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data...

CVE-2023-2391

A vulnerability was found in Netgear SRX5308 up to 4.3.5-3 and classified as problematic. This issue affects some unknown processing of the file scgi-bin/platform.cgi?page=timezone.htm of the component Web Management Interface. The manipulation of the argument ntp.server2 leads to cross site...

CVE-2025-2391

CVE-2025-2391 affects code-projects Blood Bank Management System version 1.0, specifically the Admin Login Page vulnerability at /admin/admin_login.php. The flaw permits SQL injection through manipulated input, enabling remote exploitation. Multiple connected sources corroborate the critical seve...

Linux Distros Unpatched Vulnerability : CVE-2016-2391

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The ohcibusstart function in the USB OHCI emulation support hw/usb/hcd-ohci.c in QEMU allows local guest OS administrators to cause a denial of service NULL...