CWE-598

Use of HTTP Request With Sensitive Query String

Parent: CWE-201 - Insertion of Sensitive Information Into Sent Data

The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.

80 vulnerabilities with CWE-598
CVE-2026-10078 LOW
Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring
CVSS 2.7
CVE-2026-44883 HIGH
Portainer: JWT accepted in URL query leaks tokens to logs and referers
CVSS 7.5
CVE-2026-2237 MEDIUM
Synology Storage Manager < 1.0.1-1100 - Use of HTTP Request With Sensitive Query String
CVSS 6.2
CVE-2026-43875 MEDIUM
WWBN AVideo: Password Hash Leaked in MobileManager OAuth Redirect URL Enables Account Takeover
CVSS 6.8
CVE-2026-37504 MEDIUM
V2Board thru 1.7.4 - Info Disclosure
CVSS 5.3
CVE-2026-34020 HIGH
Apache OpenMeetings: Login Credentials Passed via GET Query Parameters
CVSS 7.5
CVE-2026-27949 LOW
Plane Exposes User Email (PII and part of credential) in GET Parameter
CVSS 2.0
CVE-2026-34969 HIGH
Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback
CVSS 7.5
CVE-2026-25118 HIGH
immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums
CVSS 7.5
CVE-2026-33620 MEDIUM
PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems
CVSS 4.3
CVE-2026-31381 MEDIUM
Gainsight Assist plugin information disclosure
CVSS 5.3
CVE-2026-26196 MEDIUM
Gogs < 0.14.2 - Sensitive Token Exposure via URL Query Parameters
CVSS 5.3
CVE-2026-26721 HIGH
Key Systems GFMS 20230721a - Info Disclosure
CVSS 7.1
CVE-2026-23846 HIGH
Tugtainer <1.16.1 - Info Disclosure
CVSS 8.1
CVE-2026-22644 MEDIUM
SICK Incoming Goods Suite - Session Hijacking via Sensitive Query String in HTTP Request
CVSS 5.3
CVE-2025-62317 LOW
HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters.
CVSS 2.6
CVE-2025-14808 LOW
IBM InfoSphere Information Server is vulnerable due to disclosure of sensitive information
CVSS 3.1
CVE-2025-14811 LOW
IBM Sterling Partner Engagement Manager 6.2.3.0-6.2.3.5/6.2.4.0-6.2.4.2 - Info Disclosure
CVSS 3.1
CVE-2025-13219 MEDIUM
IBM Aspera Orchestrator 3.0.0-4.1.2 - Info Disclosure
CVSS 5.9
CVE-2025-41772 HIGH
mbs-solutions universal_bacnet_router_firmware < 6.0.1.0 - Session Token Exposure via wwwupdate.cgi
CVSS 7.5
CVE-2025-59873 MEDIUM
HCL ZIE for Web v16 - Info Disclosure
CVSS 5.9
CVE-2025-69634 CRITICAL
Dolibarr ERP & CRM 22.0.9 - Cross-Site Request Forgery via Notes Field in perms.php
CVSS 9.0
CVE-2025-69270 CRITICAL
Broadcom DX NetOps Spectrum <24.3.8 - Info Disclosure
CVSS 9.8
CVE-2025-36371 MEDIUM
IBM i 7.2-7.6 - Unauthorized Information Disclosure in Database Plan Cache
CVSS 6.5
CVE-2025-31954 MEDIUM
HCL iAutomate 6.5.1-6.5.2 - Sensitive Information Disclosure via HTTP Query String
CVSS 5.4
Details
Vulnerabilities 80
Links
MITRE CWE Entry Search this CWE With Exploits