Lucene search
K

214 matches found

Snyk
Snyk
added 2026/02/12 5:20 a.m.7 views

Allocation of Resources Without Limits or Throttling

Overview qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can exhaust system memor...

8.2CVSS5.7AI score0.00478EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2026/02/12 5:20 a.m.7 views

org.webjars.npm:body-parser (>=1.20.0 <=1.20.3), org.webjars.npm:express (=4.18.1) +1 more potentially affected by CVE-2026-2391 via org.webjars.npm:qs (>=6.10.3 <=6.13.0)

org.webjars.npm:qs MAVEN version =6.10.3, =1.20.0, =8.4.7, =9.0.0-next.2 Source cves: CVE-2026-2391 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15268417...

7.5CVSS7AI score0.00478EPSS
Exploits1
Snyk
Snyk
added 2026/02/12 5:20 a.m.4 views

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can...

8.2CVSS7.1AI score0.00478EPSS
Exploits1References2
NVD
NVD
added 2026/02/12 5:17 a.m.13 views

CVE-2026-2391

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

7.5CVSS0.00478EPSS
Exploits1References2
OSV
OSV
added 2026/02/12 5:17 a.m.8 views

AZL-77616 CVE-2026-2391 affecting package nodejs-nodemon 2.0.3-4

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

7.5CVSS7.1AI score0.00478EPSS
Exploits1References1
OSV
OSV
added 2026/02/12 5:17 a.m.9 views

AZL-77594 CVE-2026-2391 affecting package js-jquery 3.5.0-4

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

7.5CVSS5.8AI score0.00478EPSS
Exploits1References1
OSV
OSV
added 2026/02/12 5:17 a.m.4 views

AZL-77597 CVE-2026-2391 affecting package nodejs-nodemon 2.0.3-5

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

7.5CVSS7.1AI score0.00478EPSS
Exploits1References1
OSV
OSV
added 2026/02/12 5:17 a.m.6 views

UBUNTU-CVE-2026-2391

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

7.5CVSS7.1AI score0.00478EPSS
Exploits1References4
UbuntuCve
UbuntuCve
added 2026/02/12 5:17 a.m.4 views

CVE-2026-2391

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

7.5CVSS6.4AI score0.00478EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/12 4:39 a.m.36 views

CVE-2026-2391 qs's arrayLimit bypass in comma parsing allows denial of service

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

6.3CVSS0.00478EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/02/12 4:39 a.m.3 views

CVE-2026-2391

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

6.3CVSS5.5AI score0.00478EPSS
Exploits2References3
Vulnrichment
Vulnrichment
added 2026/02/12 4:39 a.m.7 views

CVE-2026-2391 qs's arrayLimit bypass in comma parsing allows denial of service

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

6.3CVSS5.5AI score0.00478EPSS
Exploits1References2
CVE
CVE
added 2026/02/12 4:39 a.m.82 views

CVE-2026-2391

CVE-2026-2391 : The qs library vulnerability arises when using comma parsing (comma: true). The code bypasses the arrayLimit check by returning val.split(',') before the limit, allowing creation of very large arrays from a single parameter (e.g., ?param=a,b,c with a high density of commas). This ...

7.5CVSS5.5AI score0.00478EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/12 12:0 a.m.7 views

PT-2026-7816

Name of the Vulnerable Software and Affected Versions qs affected versions not specified Description The arrayLimit option in the qs library does not correctly enforce limits when parsing comma-separated values with the comma option enabled. This allows attackers to potentially cause a...

7.5CVSS6.5AI score0.00478EPSS
Exploits1References157
RedHat Linux
RedHat Linux
added 2026/02/10 9:39 a.m.17 views

Important: Red Hat Security Advisory: OpenShift Container Platform 4.21.1 bug fix and security update

Red Hat OpenShift Container Platform release 4.21.1 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.21. Red Hat Product Security has rated this update as having a...

9.1CVSS6.7AI score0.00585EPSS
Exploits2References7
IBM Security Bulletins
IBM Security Bulletins
added 2026/02/06 12:44 p.m.9 views

Security Bulletin: qs parse module DoS vulnerability: arrayLimit bypass via bracket notation allows memory exhaustion (qs < 6.14.1)

Summary An input validation flaw in qs 6.14.1 allows attackers to bypass arrayLimit using bracket notation a=x, leading to unauthenticated HTTP denial-of-service via memory exhaustion. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse...

6.3CVSS5.6AI score0.0041EPSS
Exploits1Affected Software1
OSV
OSV
added 2026/01/27 7:55 a.m.4 views

MAL-2026-528 Malicious code in @shije/new-qs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c217f00985a52bf4f5fbfa5dc34780dec977ad068e3d7f410e3ffa43a1df1e7d The package @shije/new-qs was found to contain malicious code. Source: ghsa-malware 78d2627d513a4310f6f6edc23265e8b98bd4d9f33fca8ff85b0380275e54bfd9...

5.8AI score
Exploits0References1
Snyk
Snyk
added 2026/01/27 7:55 a.m.1 views

Malicious Package

Overview @shije/new-qs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/01/12 12:0 a.m.5 views

TencentOS Server 4: grafana (TSSA-2026:0007)

"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0007 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

6.3CVSS6.4AI score0.0041EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2025/12/30 9:2 p.m.9 views

00ld8nuivn (=2.1.0), 00rqiw31nd (=2.1.0) +42013 more potentially affected by CVE-2025-15284 via qs (>=0.1.0 <=6.14.0)

qs NPM version =0.1.0, =6.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on qs and may be impacted: - 00ld8nuivn =2.1.0 - 00rqiw31nd =2.1.0 - 01dk01majk =2.1.0 - 02rjq8i863 =1.1.0 - 02vx8qsp01 =2.1.0 - 05y6tjgmws =1.1.0 - 066m7q8o0z =2.1.0 -...

6.3CVSS6.6AI score0.0041EPSS
Exploits1
Rows per page
Query Builder