Total
61 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3637 | 1 Moodle | 1 Moodle | 2026-06-17 | N/A | 3.1 LOW |
| A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages. | |||||
| CVE-2025-36371 | 1 Ibm | 1 I | 2026-06-17 | N/A | 6.5 MEDIUM |
| IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 are impacted by obtaining an information vulnerability in the database plan cache implementation. A user with access to the database plan cache could see information they do not have authority to view. | |||||
| CVE-2025-32916 | 1 Checkmk | 1 Checkmk | 2026-06-17 | N/A | 4.3 MEDIUM |
| Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions <2.4.0p13, <2.3.0p38, <2.2.0p46, and 2.1.0 (EOL) may cause sensitive form data to be included in URL query parameters, which may be logged in various places such as browser history or web server logs. | |||||
| CVE-2025-32021 | 1 Weblate | 1 Weblate | 2026-06-17 | N/A | 2.2 LOW |
| Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11. | |||||
| CVE-2025-31954 | 1 Hcltech | 1 Dryice Iautomate | 2026-06-17 | N/A | 5.4 MEDIUM |
| HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and includes sensitive information in the query string of that request. An attacker could potentially access information or resources they were not intended to see. | |||||
| CVE-2025-2356 | 2026-06-17 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was found in BlackVue App 3.65 on Android. It has been classified as problematic. This affects the function deviceDelete of the component API Handler. The manipulation leads to use of get request method with sensitive query strings. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-26473 | 1 Outbackpower | 2 Mojave Inverter Oghi8048a, Mojave Inverter Oghi8048a Firmware | 2026-06-17 | N/A | 7.5 HIGH |
| The Mojave Inverter uses the GET method for sensitive information. | |||||
| CVE-2025-26058 | 1 Webkul | 1 Qloapps | 2026-06-17 | N/A | 4.2 MEDIUM |
| Webkul QloApps v1.6.1 exposes authentication tokens in URLs during redirection. When users access the admin panel or other protected areas, the application appends sensitive authentication tokens directly to the URL. | |||||
| CVE-2025-24948 | 1 Joturl | 1 Joturl | 2026-06-17 | N/A | 6.5 MEDIUM |
| In JotUrl 2.0, passwords are sent via HTTP GET-type requests, potentially exposing credentials to eavesdropping or insecure records. | |||||
| CVE-2025-22387 | 1 Optimizely | 1 Configured Commerce | 2026-06-17 | N/A | 7.5 HIGH |
| An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking. | |||||
| CVE-2025-1738 | 2026-06-17 | N/A | 6.2 MEDIUM | ||
| A Password Transmitted over Query String vulnerability has been found in Trivision Camera NC227WF v5.8.0 from TrivisionSecurity, exposing this sensitive information to a third party. | |||||
| CVE-2025-13219 | 2 Ibm, Linux | 2 Aspera Orchestrator, Linux Kernel | 2026-06-17 | N/A | 5.9 MEDIUM |
| IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. | |||||
| CVE-2025-0730 | 1 Tp-link | 2 Tl-sg108e, Tl-sg108e Firmware | 2026-06-17 | 2.6 LOW | 3.7 LOW |
| A vulnerability classified as problematic has been found in TP-Link TL-SG108E 1.0.0 Build 20201208 Rel. 40304. Affected is an unknown function of the file /usr_account_set.cgi of the component HTTP GET Request Handler. The manipulation of the argument username/password leads to use of get request method with sensitive query strings. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.0 Build 20250124 Rel. 54920(Beta) is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early. They reacted very professional and provided a pre-fix version for their customers. | |||||
| CVE-2024-9877 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| : Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4. | |||||
| CVE-2024-41738 | 1 Ibm | 1 Txseries For Multiplatforms | 2026-06-17 | N/A | 5.9 MEDIUM |
| IBM TXSeries for Multiplatforms 10.1 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques. | |||||
| CVE-2024-38863 | 1 Checkmk | 1 Checkmk | 2026-06-17 | N/A | 7.5 HIGH |
| Exposure of CSRF tokens in query parameters on specific requests in Checkmk GmbH's Checkmk versions <2.3.0p18, <2.2.0p35 and <2.1.0p48 could lead to a leak of the token to facilitate targeted phishing attacks. | |||||
| CVE-2024-32931 | 1 Johnsoncontrols | 1 Exacqvision Web Service | 2026-06-17 | N/A | 5.7 MEDIUM |
| Under certain circumstances the exacqVision Web Service can expose authentication token details within communications. | |||||
| CVE-2024-2745 | 1 Rapid7 | 1 Insightvm | 2026-06-17 | N/A | 3.3 LOW |
| Rapid7's InsightVM maintenance mode login page suffers from a sensitive information exposure vulnerability whereby, sensitive information is exposed through query strings in the URL when login is attempted before the page is fully loaded. This vulnerability allows attackers to acquire sensitive information such as passwords, auth tokens, usernames etc. The vulnerability is remediated in version 6.6.244. | |||||
| CVE-2024-28238 | 1 Monospace | 1 Directus | 2026-06-17 | N/A | 2.3 LOW |
| Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-23766 | 2026-06-17 | N/A | 7.5 HIGH | ||
| An issue was discovered on HMS Anybus X-Gateway AB7832-F 3 devices. The gateway exposes a web interface on port 80. An unauthenticated GET request to a specific URL triggers the reboot of the Anybus gateway (or at least most of its modules). An attacker can use this feature to carry out a denial of service attack by continuously sending GET requests to that URL. | |||||