CWE-598
Use of HTTP Request With Sensitive Query String
VariantDraft
Description
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (26)
page 2 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-50709 | Med | 0.28 | 4.3 | 0.00 | Sep 17, 2025 | An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter | |
| CVE-2024-9877 | Med | 0.28 | 4.3 | 0.00 | Apr 30, 2025 | : Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4. | |
| CVE-2025-2356 | Low | 0.24 | 3.7 | 0.00 | Mar 17, 2025 | A vulnerability was found in BlackVue App 3.65 on Android. It has been classified as problematic. This affects the function deviceDelete of the component API Handler. The manipulation leads to use of get request method with sensitive query strings. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-14811 | Low | 0.20 | 3.1 | 0.00 | Mar 13, 2026 | IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques. | |
| CVE-2025-62317 | Low | 0.17 | 2.6 | 0.00 | May 14, 2026 | HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions. | |
| CVE-2026-27949 | Low | 0.13 | 2.0 | 0.00 | Apr 7, 2026 | Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally identifiable information (PII) via GET request query strings is classified as an insecure design practice. The affected code path is located in the authentication utility module (packages/utils/src/auth.ts). This vulnerability is fixed in 1.3.0. |