214 matches found
Allocation of Resources Without Limits or Throttling
Overview qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can exhaust system memor...
org.webjars.npm:body-parser (>=1.20.0 <=1.20.3), org.webjars.npm:express (=4.18.1) +1 more potentially affected by CVE-2026-2391 via org.webjars.npm:qs (>=6.10.3 <=6.13.0)
org.webjars.npm:qs MAVEN version =6.10.3, =1.20.0, =8.4.7, =9.0.0-next.2 Source cves: CVE-2026-2391 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15268417...
Allocation of Resources Without Limits or Throttling
Overview org.webjars.npm:qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can...
CVE-2026-2391
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
AZL-77616 CVE-2026-2391 affecting package nodejs-nodemon 2.0.3-4
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
AZL-77594 CVE-2026-2391 affecting package js-jquery 3.5.0-4
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
AZL-77597 CVE-2026-2391 affecting package nodejs-nodemon 2.0.3-5
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
UBUNTU-CVE-2026-2391
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
CVE-2026-2391
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
CVE-2026-2391 qs's arrayLimit bypass in comma parsing allows denial of service
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
CVE-2026-2391
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
CVE-2026-2391 qs's arrayLimit bypass in comma parsing allows denial of service
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...
CVE-2026-2391
CVE-2026-2391 : The qs library vulnerability arises when using comma parsing (comma: true). The code bypasses the arrayLimit check by returning val.split(',') before the limit, allowing creation of very large arrays from a single parameter (e.g., ?param=a,b,c with a high density of commas). This ...
PT-2026-7816
Name of the Vulnerable Software and Affected Versions qs affected versions not specified Description The arrayLimit option in the qs library does not correctly enforce limits when parsing comma-separated values with the comma option enabled. This allows attackers to potentially cause a...
Important: Red Hat Security Advisory: OpenShift Container Platform 4.21.1 bug fix and security update
Red Hat OpenShift Container Platform release 4.21.1 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.21. Red Hat Product Security has rated this update as having a...
Security Bulletin: qs parse module DoS vulnerability: arrayLimit bypass via bracket notation allows memory exhaustion (qs < 6.14.1)
Summary An input validation flaw in qs 6.14.1 allows attackers to bypass arrayLimit using bracket notation a=x, leading to unauthenticated HTTP denial-of-service via memory exhaustion. Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse...
MAL-2026-528 Malicious code in @shije/new-qs (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c217f00985a52bf4f5fbfa5dc34780dec977ad068e3d7f410e3ffa43a1df1e7d The package @shije/new-qs was found to contain malicious code. Source: ghsa-malware 78d2627d513a4310f6f6edc23265e8b98bd4d9f33fca8ff85b0380275e54bfd9...
Malicious Package
Overview @shije/new-qs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
TencentOS Server 4: grafana (TSSA-2026:0007)
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0007 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...
00ld8nuivn (=2.1.0), 00rqiw31nd (=2.1.0) +42013 more potentially affected by CVE-2025-15284 via qs (>=0.1.0 <=6.14.0)
qs NPM version =0.1.0, =6.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on qs and may be impacted: - 00ld8nuivn =2.1.0 - 00rqiw31nd =2.1.0 - 01dk01majk =2.1.0 - 02rjq8i863 =1.1.0 - 02vx8qsp01 =2.1.0 - 05y6tjgmws =1.1.0 - 066m7q8o0z =2.1.0 -...