CVE-2026-8723

Summary qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options skipNulls, strictNullHandling. Details In the comma + encodeValuesOnly...

CVE-2026-6206

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...

EUVD-2026-30260

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...

PT-2026-40896

Name of the Vulnerable Software and Affected Versions MW WP Form versions prior to 5.1.3 Description Insufficient restrictions in the get post property from querystring function allow unauthenticated attackers to extract data from private, draft, or password-protected posts. Recommendations Updat...

CVE-2026-7435

SSCMS v7.4.0 is affected by a SQL injection in the stl:sqlContent tag, where the queryString is passed directly to database execution without parameterization or sanitization. Attackers can submit encrypted payloads to the /api/stl/actions/dynamic endpoint to execute arbitrary SQL statements, lea...

SSCMS SQL注入漏洞

SSCMS SiteServerCMS is a content management system developed by SSCMS Corporation in China. Version 7.4.0 of SSCMS contains an SQL injection vulnerability. This vulnerability arises from the unparametrized or uncleaned direct transmission of the queryString attribute within the stl:sqlContent tag...

Security Bulletin: DevOps Test Performance and Rational Performance Tester contains a vulnerabilty related to use of the qs library

Summary Due to use of the qs library, DevOps Test Performance and Rational Performance Tester contain a potential improper input validation vulnerabiity. CVE-2025-15284 Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP...

CVE-2026-2391

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

TWiki 6.0.1 Cross Site Scripting

A cross site scripting vulnerability exists in TWiki version 6.0.1 via the QUERYSTRING parameter. The vulnerability allows remote attackers to inject arbitrary web script or HTML. This issue is older research added to the archive...

EUVD-2011-2892

Malware in sbrugna...

EUVD-2008-6693

Malware in sbrugna...

EUVD-2025-28735

Malicious code in bioql PyPI...

CVE-2025-6428

When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. This bug only affects Firefox for Android. Other versions of Firefox are unaffected. This vulnerability affects Firefox 140...

UBUNTU-CVE-2025-6428

When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. This bug only affects Firefox for Android. Other versions of Firefox are unaffected.. This vulnerability was fixed in Firefox 140...

PT-2025-26725

Name of the Vulnerable Software and Affected Versions: Firefox for Android versions prior to 140 Description: The issue allows an attacker to potentially lead to phishing attacks by following a provided URL in a link querystring parameter instead of the correct URL. This affects Firefox for...

CVE-2025-32371

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. A url could be crafted to the DNN ImageHandler to render text from a querystring parameter. This text would display in the resulting image and a user that trusts the domain might think that t...

dot-querystring 安全漏洞

dot-querystring is a dot notation library for node query strings by the individual developer Naoya Tsutsumi. A security vulnerability exists in dot-querystring version v0.2.0, which stems from the lib.parse function containing a prototype contamination vulnerability...

Cross Site Scripting (XSS)

silverstripe/framework is vulnerable to Cross Site Scripting XSS. The vulnerability is due to inadequate sanitisation of the rewriteHashlinks option in SSViewer, allowing an attacker to inject HTML through the querystring...

GHSA-34Q6-XQXH-GQ39 Silverstripe XSS In rewritten hash links

A high level XSS vulnerability has been discovered in the SilverStripe framework which causes links containing hash anchors E.g. href="anchor" to be rewritten in an unsafe way. The rewriteHashlinks option on SSViewer will rewrite these to contain the current url, although without adequate escapin...

SUSE CVE-2011-2919

Cross-site scripting XSS vulnerability in Spacewalk 1.6, as used in Red Hat Network RHN Satellite, allows remote attackers to inject arbitrary web script or HTML via the QueryString to the SystemGroupList.do page...