CVE-2025-61726 Memory exhaustion in query parameter parsing in net/url

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containi...

Allocation of Resources Without Limits or Throttling

Overview std/net/url is a Go standard library package std/net/url Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: The net/url package does not set a limit on the number of query parameters in a query. While the...

GO-2026-4341 Memory exhaustion in query parameter parsing in net/url

The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containi...

Google Go 安全漏洞

Google Go is a static strongly typed, compiled, concatenated, and garbage-collected programming language from Google. A denial of service vulnerability exists in Google Go, which stems from an unrestricted number of query parameters, which can be exploited by an attacker to cause excessive memory...

MiracleLinux 8 : grafana-7.5.15-4.el8.ML.1 (AXSA:2023-6073:05)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-6073:05 advisory. golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters CVE-2022-2880 golang: net/http: handle server errors after...

CVE-2026-23846

CVE-2026-23846 — Tugtainer password exposure : Tugtainer (self-hosted Docker updater) before version 1.16.1 transmits passwords via URL query parameters instead of the HTTP request body. This enables passwords to be logged in server access logs and potentially exposed through browser history, Ref...

CVE-2026-23846 Tugtainer vulnerable to Password Exposure via URL Query Parameter

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially...

EUVD-2026-3294

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially...

PT-2026-3491

Name of the Vulnerable Software and Affected Versions Tugtainer versions prior to 1.16.1 Description Tugtainer is a self-hosted application designed for automating updates of Docker containers. Prior to version 1.16.1, the password authentication process transmits passwords through URL query...

USN-7960-1: Rack vulnerabilities

It was discovered that Rack incorrectly handled certain query parameters. An attacker could possibly use this issue to cause a limited denial of service. This issue was only addressed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. CVE-2025-59830 It was discovered that Rack did not properly handle...

USN-7960-1 ruby-rack vulnerabilities

It was discovered that Rack incorrectly handled certain query parameters. An attacker could possibly use this issue to cause a limited denial of service. This issue was only addressed in Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. CVE-2025-59830 It was discovered that Rack did not properly handle...

ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler

Impact Vulnerability Type: CRLF Injection via ConfigParser An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. Affected Users: Users...

TinyWeb Server 操作系统命令注入漏洞

TinyWeb Server is a web server by Maxim Masiutin, an individual developer. An operating system command injection vulnerability exists in versions of TinyWeb Server prior to 1.98, which stems from passing commands via CGI ISINDEX style query parameters, which could lead to an OS command injection...

CVE-2026-22777

ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or...

CVE-2026-22777 ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler

ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or...

PT-2026-2261

Name of the Vulnerable Software and Affected Versions ComfyUI-Manager versions prior to 3.39.2 ComfyUI-Manager versions prior to 4.0.5 Description ComfyUI-Manager, an extension for ComfyUI, is susceptible to arbitrary configuration injection. An attacker can inject special characters into HTTP...

CVE-2022-0201

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue...

Improper Access Control

@strapi/core is vulnerable to improper access control. The vulnerability is due to improper sanitization of query parameters in the document service lookup operator, which allows an attacker to craft malicious queries to access private fields such as admin passwords and reset tokens...

VulnCheck KEV: CVE-2021-34427

In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote current BIRT viewer dir to inject JSP code into the running instance...

EUVD-2025-202629

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request...