CVE-2026-53539 Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

GHSA-5RVQ-CXJ2-64VF python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

Summary When parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the...

Inefficient Algorithmic Complexity

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the QuerystringParser function when parsing application/x-www-form-urlencoded bodies containing semicolon-separated fields. An attacker...

python-multipart: Semicolon treated as querystring field separator enables parameter smuggling

Summary QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes...

GHSA-6JV3-5F52-599M python-multipart: Semicolon treated as querystring field separator enables parameter smuggling

Summary QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes...

[SECURITY] Fedora 44 Update: vmod-querystring-2.0.3-13.fc44

The purpose of this module is to give you a fine-grained control over a URL's query-string in Varnish Cache. It's possible to remove the query-string, clean it, sort its parameters or filter it to only keep a subset of them. This can greatly improve your hit ratio and efficiency with Varnish,...

Fedora 44 : collectd / varnish / varnish-modules / vmod-querystring / vmod-uuid (2026-2148c0e80b)

The remote Fedora 44 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-2148c0e80b advisory. New upstream release varnish-8.0.2, a security release. Includes fix for VSV00019. Dependent packages are included in this update. Tenable has extracted the...

CVE-2026-8723

Summary qs.stringify throws TypeError when called with arrayFormat: 'comma' and encodeValuesOnly: true on an array containing null or undefined. The throw is synchronous and not handled by any of qs's null-related options skipNulls, strictNullHandling. Details In the comma + encodeValuesOnly...

CVE-2026-6206

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...

EUVD-2026-30260

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...

PT-2026-40896

Name of the Vulnerable Software and Affected Versions MW WP Form versions prior to 5.1.3 Description Insufficient restrictions in the get post property from querystring function allow unauthenticated attackers to extract data from private, draft, or password-protected posts. Recommendations Updat...

CVE-2026-7435

SSCMS v7.4.0 is affected by a SQL injection in the stl:sqlContent tag, where the queryString is passed directly to database execution without parameterization or sanitization. Attackers can submit encrypted payloads to the /api/stl/actions/dynamic endpoint to execute arbitrary SQL statements, lea...

SSCMS SQL注入漏洞

SSCMS SiteServerCMS is a content management system developed by SSCMS Corporation in China. Version 7.4.0 of SSCMS contains an SQL injection vulnerability. This vulnerability arises from the unparametrized or uncleaned direct transmission of the queryString attribute within the stl:sqlContent tag...

Security Bulletin: DevOps Test Performance and Rational Performance Tester contains a vulnerabilty related to use of the qs library

Summary Due to use of the qs library, DevOps Test Performance and Rational Performance Tester contain a potential improper input validation vulnerabiity. CVE-2025-15284 Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP...

CVE-2026-2391

Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in...

TWiki 6.0.1 Cross Site Scripting

A cross site scripting vulnerability exists in TWiki version 6.0.1 via the QUERYSTRING parameter. The vulnerability allows remote attackers to inject arbitrary web script or HTML. This issue is older research added to the archive...

EUVD-2011-2892

Malware in sbrugna...

EUVD-2008-6693

Malware in sbrugna...

EUVD-2025-28735

Malicious code in bioql PyPI...

The vulnerability of the Mozilla Firefox browser on Android operating systems, related to the use of open redirection, allows attackers to carry out phishing attacks.

The vulnerability of the Mozilla Firefox browser on Android operating systems is related to the use of open redirection during the processing of the querystring parameter. Exploiting this vulnerability allows a remote attacker to carry out phishing attacks...