Every CVE whose affected-product data names Qs Project Qs, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (5)
CVE-2014-10064 — CVSS 7.5 (high): The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply…
CVE-2017-1000048 — CVSS 7.5 (high): the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send…
CVE-2022-24999 — CVSS 7.5 (high): qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express…
CVE-2026-2391 — CVSS 3.7 (low): ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing…