CVEs classified under CWE-598, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2025-69270 — CVSS 9.8 (critical): Information Exposure Through Query Strings in GET Request vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Session…
CVE-2023-6014 — CVSS 9.8 (critical): An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment.
CVE-2025-56551 — CVSS 8.2 (high): An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with…
CVE-2021-21594 — CVSS 8.2 (high): Dell PowerScale OneFS versions 8.2.2 - 9.1.0.x contain a use of get request method with sensitive query strings vulnerability. It can lead…
CVE-2026-23846 — CVSS 8.1 (high): Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication…
CVE-2019-6531 — CVSS 8.1 (high): An attacker could retrieve passwords from a HTTP GET request from the Kunbus PR100088 Modbus gateway versions prior to Release R02 (or…
CVE-2026-58656 — CVSS 7.5 (high): Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin…
CVE-2026-44883 — CVSS 7.5 (high): Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker…
CVE-2026-34020 — CVSS 7.5 (high): Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method…
CVE-2026-25118 — CVSS 7.5 (high): immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable…
CVE-2025-41772 — CVSS 7.5 (high): An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the…
CVE-2021-41719 — CVSS 7.5 (high): Maharashtra State Electricity Distribution Company Limited Mahavitran IOS Application 16.1 application till version 16.1 communicates using…
CVE-2025-22387 — CVSS 7.5 (high): An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where…
CVE-2024-38863 — CVSS 7.5 (high): Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35 and <2.1.0p48…
CVE-2024-23766 — CVSS 7.5 (high): An issue was discovered on HMS Anybus X-Gateway AB7832-F 3 devices. The gateway exposes a web interface on port 80. An unauthenticated GET…
CVE-2026-26721 — CVSS 7.1 (high): An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via…
CVE-2026-43875 — CVSS 6.8 (medium): WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth…
CVE-2025-36371 — CVSS 6.5 (medium): IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation. A user…
CVE-2025-24948 — CVSS 6.5 (medium): In JotUrl 2.0, passwords are sent via HTTP GET-type requests, potentially exposing credentials to eavesdropping or insecure records.
CVE-2023-37935 — CVSS 6.5 (medium): A use of GET request method with sensitive query strings vulnerability in Fortinet FortiOS 7.0.0 - 7.0.12, 7.2.0 - 7.2.5 and 7.4.0 allows…
CVE-2026-2237 — CVSS 6.2 (medium): A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before…
CVE-2025-1738 — CVSS 6.2 (medium): A Password Transmitted over Query String vulnerability has been found in Trivision Camera NC227WF v5.8.0 from TrivisionSecurity, exposing…
CVE-2025-13219 — CVSS 5.9 (medium): IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if…
CVE-2025-59873 — CVSS 5.9 (medium): An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session…
CVE-2024-41738 — CVSS 5.9 (medium): IBM TXSeries for Multiplatforms 10.1 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to…
CVE-2025-8997: An Information Exposure vulnerability has been identified in OpenText Enterprise Security Manager. The vulnerability could be remotely…
CVE-2024-12012 — CVSS 5.7 (medium): A CWE-598 “Use of GET Request Method with Sensitive Query Strings” was discovered affecting the 130.8005 TCP/IP Gateway running…
CVE-2024-32931 — CVSS 5.7 (medium): Under certain circumstances the exacqVision Web Service can expose authentication token details within communications.
CVE-2025-54542 — CVSS 5.5 (medium): QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the…
CVE-2025-51651 — CVSS 5.5 (medium): An authenticated arbitrary file download vulnerability in the component /admin/Backups.php of Mccms v2.7.0 allows attackers to download…
CVE-2025-31954 — CVSS 5.4 (medium): HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and…
CVE-2026-37504 — CVSS 5.3 (medium): Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server…
CVE-2026-31381 — CVSS 5.3 (medium): An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL.
CVE-2026-26196 — CVSS 5.3 (medium): Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and…
CVE-2026-22644 — CVSS 5.3 (medium): Certain requests pass the authentication token in the URL as string query parameter, making it vulnerable to theft through server logs…
CVE-2025-58584 — CVSS 5.3 (medium): In the HTTP request, the username and password are transferred directly in the URL as parameters. However, URLs can be stored in various…
CVE-2025-40742 — CVSS 5.3 (medium): A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V11.0), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5…
CVE-2025-49188 — CVSS 5.3 (medium): The application sends user credentials as URL parameters instead of POST bodies, making it vulnerable to information gathering.
CVE-2025-52901 — CVSS 4.5 (medium): File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit…
CVE-2026-33620 — CVSS 4.3 (medium): PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` through `v0.8.3` accepted…
CVE-2025-32916 — CVSS 4.3 (medium): Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions <2.4.0p13, <2.3.0p38, <2.2.0p46, and 2.1.0 (EOL)…
CVE-2025-50709 — CVSS 4.3 (medium): An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter
CVE-2024-9877 — CVSS 4.3 (medium): : Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through…
CVE-2023-50954 — CVSS 4.3 (medium): IBM InfoSphere Information Server 11.7 returns sensitive information in URL information that could be used in further attacks against the…
CVE-2025-26058 — CVSS 4.2 (medium): Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection. When users access the admin panel or other protected areas…
CVE-2025-3943 — CVSS 4.1 (medium): Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara…
CVE-2023-25524 — CVSS 4.0 (medium): NVIDIA Omniverse Workstation Launcher for Windows and Linux contains a vulnerability in the authentication flow, where a user’s access…
CVE-2025-2356 — CVSS 3.7 (low): A vulnerability was found in BlackVue App 3.65 on Android. It has been classified as problematic. This affects the function deviceDelete of…
CVE-2025-0730 — CVSS 3.7 (low): A vulnerability classified as problematic has been found in TP-Link TL-SG108E 1.0.0 Build 20201208 Rel. 40304. Affected is an unknown…