CVE-2026-6206

The MW WP Form plugin for WordPress (versions

CLSA-2026-1778670864 php: Fix of CVE-2026-6735

CVE-2026-6735: HTML-encode proc.requesturi and tighten querystring entity flags in sapi/fpm/fpm/fpmstatus.c to fix XSS in PHP-FPM status endpoint...

CLSA-2026-1778535928 python: Fix of 2 CVEs

CVE-2021-3733: fix ReDoS in urllib2 AbstractBasicAuthHandler regex; the legacy '?:.,' prefix is replaced with the upstream-3.x form '?:^|,' and the scheme charset excludes ',' to prevent quadratic backtracking on crafted WWW-Authenticate headers - CVE-2021-23336: stop accepting ';' as a default...

Prototype Pollution

Overview query-string-parser is a Rack style query string parser for Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the fillValue function. An attacker can modify the prototype of built-in objects by supplying crafted query parameters. Details Prototype...

friendly-frame (>=0.0.1 <=0.0.2) potentially affected by CVE-2025-63704 via query-string-parser (=0.2.4)

query-string-parser NPM version =0.2.4 is affected by a known vulnerability. The following packages have a transitive dependency on query-string-parser and may be impacted: - friendly-frame =0.0.1, =0.0.2 Source cves: CVE-2025-63704 Source advisory: SNYK:JS-QUERYSTRINGPARSER-17181191...

BIT-MODSECURITY2-2026-30923 libModSecurity3 denial of service via segfault when using t:hexDecode on single-character query strings

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a...

SUSE CVE-2026-30923

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a...

Query String Parser 安全漏洞

Query String Parser is a JavaScript tool for parsing query strings developed by Victor Teo. Version 1.0.0 of Query String Parser has a security vulnerability. This vulnerability arises from improper cleaning of query parameters provided by users and their merging into newly created objects, which...

CVE-2026-30246

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

EUVD-2026-27313

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

CVE-2026-30246

Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key...

PT-2026-37291

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0 Description An issue exists where the endpoint 'plugin/MobileManager/oauth2.php' completes an OAuth login by redirecting the user to 'oauth2Success.php' via an HTTP 302 response. This redirect includes the user's...

Linux Distros Unpatched Vulnerability : CVE-2026-30923

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity ...

CVE-2026-7435

SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute...

EUVD-2026-26437

SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute...

CVE-2026-7435 SSCMS v7.4.0 SQL Injection via stl:sqlContent queryString

SSCMS v7.4.0 contains a SQL injection vulnerability in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. Attackers can craft encrypted payloads submitted to the /api/stl/actions/dynamic endpoint to execute...

PT-2026-36186

Name of the Vulnerable Software and Affected Versions SSCMS version 7.4.0 Description An issue exists in the stl:sqlContent tag where the queryString attribute is passed directly to database execution without parameterization or sanitization. This allows attackers to submit encrypted payloads to...

Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters

Summary Fiber cache middleware's default key generator uses only c.Path and does not include the query string. As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response. This can cause response mix-up cache poisoning-like behavior for endpoints...

GHSA-35HP-HQMV-8QG8 Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters

Summary Fiber cache middleware's default key generator uses only c.Path and does not include the query string. As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response. This can cause response mix-up cache poisoning-like behavior for endpoints...

CVE-2026-41428

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...