Total
64 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26196 | 1 Gogs | 1 Gogs | 2026-03-05 | N/A | 5.3 MEDIUM |
|
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2.
|
|||||
| CVE-2025-59873 | 2026-02-26 | N/A | 5.9 MEDIUM | ||
|
An information exposure vulnerability exists in
Vulnerability in HCL Software ZIE for Web.
The application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site linked from the application can hijack user sessions
This issue affects ZIE for Web: v16.
|
|||||
| CVE-2026-26721 | 1 Keystorage | 1 Global Facilities Management Software | 2026-02-26 | N/A | 7.1 HIGH |
|
An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.
|
|||||
| CVE-2025-69634 | 2026-02-14 | N/A | 9.0 CRITICAL | ||
|
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user.
|
|||||
| CVE-2026-23846 | 1 Quenary | 1 Tugtainer | 2026-02-05 | N/A | 8.1 HIGH |
|
Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.
|
|||||
| CVE-2025-49188 | 1 Sick | 1 Field Analytics | 2026-01-29 | N/A | 5.3 MEDIUM |
|
The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
|
|||||
| CVE-2026-22644 | 1 Sick | 1 Incoming Goods Suite | 2026-01-29 | N/A | 5.3 MEDIUM |
|
Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs, proxy logs and Referer headers, which could allow an attacker to hijack the user's session and gain unauthorized access.
|
|||||
| CVE-2025-58584 | 1 Sick | 5 Baggage Analytics, Enterprise Analytics, Logistic Diagnostic Analytics and 2 more | 2026-01-27 | N/A | 5.3 MEDIUM |
|
In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various systems such as server logs, browser histories or proxy servers. As a result, there is a high risk that this sensitive data will be disclosed unintentionally.
|
|||||
| CVE-2025-69270 | 3 Broadcom, Linux, Microsoft | 3 Dx Netops Spectrum, Linux Kernel, Windows | 2026-01-14 | N/A | 9.8 CRITICAL |
|
Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session Hijacking.This issue affects DX NetOps Spectrum: 24.3.8 and earlier.
|
|||||
| CVE-2025-32916 | 1 Checkmk | 1 Checkmk | 2025-12-04 | N/A | 4.3 MEDIUM |
|
Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions <2.4.0p13, <2.3.0p38, <2.2.0p46, and 2.1.0 (EOL) may cause sensitive form data to be included in URL query parameters, which may be logged in various places such as browser history or web server logs.
|
|||||
| CVE-2025-36371 | 1 Ibm | 1 I | 2025-11-24 | N/A | 6.5 MEDIUM |
|
IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation. A user with access to the database plan cache could see information they do not have authority to view.
|
|||||
| CVE-2025-31954 | 1 Hcltech | 1 Dryice Iautomate | 2025-11-07 | N/A | 5.4 MEDIUM |
|
HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and includes sensitive information in the query string of that request. An attacker could potentially access information or resources they were not intended to see.
|
|||||
| CVE-2025-56551 | 1 Directadmin | 1 Directadmin | 2025-10-15 | N/A | 8.2 HIGH |
|
An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with arbitrary attacker-controlled content via supplying a crafted GET request.
|
|||||
| CVE-2025-50709 | 2025-09-17 | N/A | 4.3 MEDIUM | ||
|
An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter
|
|||||
| CVE-2025-50110 | 2025-09-15 | N/A | 8.8 HIGH | ||
|
An issue was discovered in the method push.lite.avtech.com.AvtechLib.GetHttpsResponse in AVTECH EagleEyes Lite 2.0.0, the GetHttpsResponse method transmits sensitive information - including internal server URLs, account IDs, passwords, and device tokens - as plaintext query parameters over HTTPS
|
|||||
| CVE-2025-54542 | 1 Opensolution | 1 Quick.cms | 2025-09-08 | N/A | 5.5 MEDIUM |
|
QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
|
|||||
| CVE-2025-57800 | 1 Audiobookshelf | 1 Audiobookshelf | 2025-08-26 | N/A | 8.8 HIGH |
|
Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in a cookie, which is later used to redirect the user after authentication. The server then issues a 302 redirect to the attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows an at ...
Show More |
|||||
| CVE-2025-8997 | 2025-08-25 | N/A | N/A | ||
|
An Information Exposure vulnerability has been identified in OpenText Enterprise Security Manager. The vulnerability could be remotely exploited.
|
|||||
| CVE-2025-52901 | 1 Filebrowser | 1 Filebrowser | 2025-08-04 | N/A | 4.5 MEDIUM |
|
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been pa ...
Show More |
|||||
| CVE-2025-51651 | 1 Chshcms | 1 Mccms | 2025-07-17 | N/A | 5.5 MEDIUM |
|
An authenticated arbitrary file download vulnerability in the component /admin/Backups.php of Mccms v2.7.0 allows attackers to download arbitrary files via a crafted GET request.
|
|||||
| CVE-2025-0730 | 1 Tp-link | 2 Tl-sg108e, Tl-sg108e Firmware | 2025-07-16 | 2.6 LOW | 3.7 LOW |
|
A vulnerability classified as problematic has been found in TP-Link TL-SG108E 1.0.0 Build 20201208 Rel. 40304. Affected is an unknown function of the file /usr_account_set.cgi of the component HTTP GET Request Handler. The manipulation of the argument username/password leads to use of get request method with sensitive query strings. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed ...
Show More |
|||||
| CVE-2025-26058 | 1 Webkul | 1 Qloapps | 2025-07-09 | N/A | 4.2 MEDIUM |
|
Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection. When users access the admin panel or other protected areas, the application appends sensitive authentication tokens directly to the URL.
|
|||||
| CVE-2025-40742 | 2025-07-08 | N/A | 5.3 MEDIUM | ||
|
A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) V9.6 (All versions), SIPROTEC 5 6MU85 (CP300) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions), SIPRO ...
Show More |
|||||
| CVE-2025-3637 | 1 Moodle | 1 Moodle | 2025-06-24 | N/A | 3.1 LOW |
|
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
|
|||||
| CVE-2025-3943 | 4 Blackberry, Linux, Microsoft and 1 more | 5 Qnx, Linux Kernel, Windows and 2 more | 2025-06-04 | N/A | 4.1 MEDIUM |
|
Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
|
|||||
| CVE-2023-45716 | 1 Hcltech | 1 Sametime | 2025-06-03 | N/A | 1.7 LOW |
|
Sametime is impacted by sensitive information passed in URL.
|
|||||
| CVE-2025-22387 | 1 Optimizely | 1 Configured Commerce | 2025-05-21 | N/A | 7.5 HIGH |
|
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking.
|
|||||
| CVE-2024-9877 | 2025-05-02 | N/A | 4.3 MEDIUM | ||
|
: Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4.
|
|||||
| CVE-2025-32021 | 1 Weblate | 1 Weblate | 2025-04-30 | N/A | 2.2 LOW |
|
Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are writte ...
Show More |
|||||
| CVE-2025-24948 | 1 Joturl | 1 Joturl | 2025-04-22 | N/A | 6.5 MEDIUM |
|
In JotUrl 2.0, passwords are sent via HTTP GET-type requests, potentially exposing credentials to eavesdropping or insecure records.
|
|||||
| CVE-2017-8443 | 1 Elastic | 1 Kibana | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.
|
|||||
| CVE-2017-3185 | 1 Acti | 1 Camera Firmware | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
ACTi cameras including the D, B, I, and E series using firmware version A1D-500-V6.11.31-AC have a web application that uses the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser's history, referrers, web logs, and other sources.
|
|||||
| CVE-2021-41719 | 2025-03-21 | N/A | 7.5 HIGH | ||
|
Maharashtra State Electricity Distribution Company Limited Mahavitran IOS Application 16.1 application till version 16.1 communicates using the GET method to process requests that contain sensitive information such as user account name and password, which can expose that information through the browser's history, referrers, web logs, and other sources.
|
|||||
| CVE-2025-26473 | 1 Outbackpower | 2 Mojave Inverter Oghi8048a, Mojave Inverter Oghi8048a Firmware | 2025-03-19 | N/A | 7.5 HIGH |
|
The Mojave Inverter uses the GET method for sensitive information.
|
|||||
| CVE-2025-2356 | 2025-03-17 | 2.6 LOW | 3.7 LOW | ||
|
A vulnerability was found in BlackVue App 3.65 on Android. It has been classified as problematic. This affects the function deviceDelete of the component API Handler. The manipulation leads to use of get request method with sensitive query strings. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure ...
Show More |
|||||
| CVE-2024-23766 | 2025-03-13 | N/A | 7.5 HIGH | ||
|
An issue was discovered on HMS Anybus X-Gateway AB7832-F 3 devices. The gateway exposes a web interface on port 80. An unauthenticated GET request to a specific URL triggers the reboot of the Anybus gateway (or at least most of its modules). An attacker can use this feature to carry out a denial of service attack by continuously sending GET requests to that URL.
|
|||||
| CVE-2025-1738 | 2025-02-27 | N/A | 6.2 MEDIUM | ||
|
A Password Transmitted over Query String vulnerability has been found in Trivision Camera NC227WF v5.8.0 from TrivisionSecurity, exposing this sensitive information to a third party.
|
|||||
| CVE-2024-2745 | 1 Rapid7 | 1 Insightvm | 2025-02-25 | N/A | 3.3 LOW |
|
Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded. This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc.
The vulnerability is remediated in version 6.6.244.
|
|||||
| CVE-2024-12012 | 2025-02-13 | N/A | 5.7 MEDIUM | ||
|
A CWE-598 “Use of GET Request Method with Sensitive Query Strings” was discovered affecting the 130.8005 TCP/IP Gateway running firmware version 12h. Both the SHA-1 hash of the password as well as the session tokens are included as part of the URL and therefore exposed to information leakage scenarios. An attacker capable of accessing such values (e.g., victim browser, network traffic inspection) can exploit this vulnerability to leak both the password hash as well as session tokens and bypass t ...
Show More |
|||||
| CVE-2023-32335 | 1 Ibm | 2 Maximo Application Suite, Maximo Asset Management | 2025-01-14 | N/A | 3.7 LOW |
|
IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 255075.
|
|||||