Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-598 (通过GET请求中的查询字符串导致的信息暴露) — Vulnerability Class 55

55 vulnerabilities classified as CWE-598 (通过GET请求中的查询字符串导致的信息暴露). AI Chinese analysis included.

CWE-598 represents a critical information exposure weakness where web applications inadvertently transmit sensitive data via HTTP query strings. This vulnerability typically arises when developers use GET requests to handle authentication credentials, session tokens, or personally identifiable information, which are then visibly appended to the URL. Attackers exploit this by intercepting network traffic, accessing browser history, or analyzing server logs to harvest these exposed secrets. Since query strings are frequently cached by proxies, stored in browser history, and logged by web servers, the data remains persistently accessible to unauthorized parties. To mitigate this risk, developers should strictly utilize POST requests for transmitting sensitive payloads, ensuring data is enclosed within the HTTP body rather than the URL. Additionally, implementing HTTPS encryption and adhering to secure coding standards further protects data integrity and prevents accidental leakage through standard web infrastructure mechanisms.

MITRE CWE Description
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
Common Consequences (1)
ConfidentialityRead Application Data
At a minimum, attackers can garner information from query strings that can be utilized in escalating their method of attack, such as information about the internal workings of the application or database column names. Successful exploitation of query string parameter vulner…
Mitigations (1)
ImplementationWhen sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.
CVE IDTitleCVSSSeverityPublished
CVE-2026-34020 Apache OpenMeetings: Login Credentials Passed via GET Query Parameters — Apache OpenMeetings 7.5AIHighAI2026-04-09
CVE-2026-25118 immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums — immich 8.1AIHighAI2026-04-03
CVE-2026-33620 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems — pinchtab 4.3 Medium2026-03-26
CVE-2025-14808 IBM InfoSphere Information Server is vulnerable due to disclosure of sensitive information — InfoSphere Information Server 3.1 Low2026-03-25
CVE-2026-31381 Gainsight Assist plugin information disclosure — Gainsight Assist 5.3 Medium2026-03-20
CVE-2025-14811 IBM Sterling Partner Engagement Manager Information Disclosure — Sterling Partner Engagement Manager 3.1 Low2026-03-13
CVE-2025-13219 Multiple vulnerabilities in IBM Aspera Orchestrator — Aspera Orchestrator 5.9 Medium2026-03-10
CVE-2025-41772 wwwupdate.cgi Session token in URL — UBR-01 Mk II 7.5 High2026-03-09
CVE-2026-26196 Gogs: Access tokens get exposed through URL params in API requests — gogs 5.3 -2026-03-05
CVE-2026-23846 Tugtainer vulnerable to Password Exposure via URL Query Parameter — tugtainer 8.1 High2026-01-19
CVE-2026-22644 SICK Incoming Goods Suite 安全漏洞 — Incoming Goods Suite 5.3 Medium2026-01-15
CVE-2025-69270 Spectrum session token in URL — DX NetOps Spectrum 8.1AIHighAI2026-01-12
CVE-2025-36371 IBM i Information Disclosure — i 6.5 Medium2025-11-19
CVE-2025-31954 HCL iAutomate is susceptible to a sensitive information disclosure — iAutomate 5.4 Medium2025-11-05
CVE-2025-32916 Sensitive form data in URL query parameters — Checkmk 5.3AIMediumAI2025-10-09
CVE-2025-58584 Plain Text Transmission of Username and Password in the URL — Baggage Analytics 5.3 Medium2025-10-06
CVE-2025-54542 Sending Password in GET Request — QuickCMS 7.8AIHighAI2025-08-28
CVE-2025-8997 OpenText Enterprise Security Manager Information Exposure — OpenText Enterprise Security Manager 7.5AIHighAI2025-08-25
CVE-2025-40742 Siemens多款产品 安全漏洞 — SIPROTEC 5 6MD84 (CP300) 5.3 Medium2025-07-08
CVE-2025-52901 File Browser allows sensitive data to be transferred in URL — filebrowser 4.5 Medium2025-06-30
CVE-2025-49188 Sensitive Data in URL — SICK Field Analytics 5.3 Medium2025-06-12
CVE-2025-3943 Use of GET Request Method With sensitive Query Strings — Niagara Framework 4.1 Medium2025-05-22
CVE-2024-9877 Sensitive information submitted using GET method — ANC 4.3 Medium2025-04-30
CVE-2025-3637 Moodle: csrf token exposure via url in moodle mod_data module 3.1 Low2025-04-25
CVE-2025-32021 Weblate VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext — weblate 2.2 Low2025-04-15
CVE-2025-2356 BlackVue App API deviceDelete get request method with sensitive query strings — App 3.7 Low2025-03-17
CVE-2025-1738 Multiple vulnerabilities in Trivision Camera NC227WF — Camera NC227WF 6.2 Medium2025-02-27
CVE-2025-26473 Outback Power Mojave Inverter Use of GET Request Method With Sensitive Query Strings — Mojave Inverter 7.5 High2025-02-13
CVE-2024-12012 Nozomi Networks TCP/IP Gateway 安全漏洞 — 130.8005 5.7 Medium2025-02-13
CVE-2025-0730 TP-Link TL-SG108E HTTP GET Request usr_account_set.cgi get request method with sensitive query strings — TL-SG108E 3.7 Low2025-01-27

Vulnerabilities classified as CWE-598 (通过GET请求中的查询字符串导致的信息暴露) represent 55 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.