CWE-598 (Use of HTTP Request With Sensitive Query String) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.
Extended context from the CWE catalog (rendered from MITRE XHTML).
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Web Based | Often | — |
| technology | Web Server | — | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-10078 | 2026-05-29 | A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL quer… |
| CVE-2026-44883 | 2026-05-28 | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2… |
| CVE-2026-2237 | 2026-05-27 | A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive info… |
| CVE-2025-62317 | 2026-05-14 | HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary syste… |
| CVE-2026-43875 | 2026-05-11 | WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=<em… |
| CVE-2026-37504 | 2026-05-01 | Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmissio… |
| CVE-2026-34020 | 2026-04-09 | Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please… |
| CVE-2026-27949 | 2026-04-07 | Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the U… |
| CVE-2026-34969 | 2026-04-06 | Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter… |
| CVE-2026-25118 | 2026-04-03 | immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a share… |
| CVE-2026-33620 | 2026-03-26 | PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` through `v0.8.3` accepted the API token from a `token` URL query parameter in addition… |
| CVE-2025-14808 | 2026-03-25 | IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obta… |
| CVE-2026-31381 | 2026-03-20 | An attacker can extract user email addresses (PII) exposed in base64 encoding via the state parameter in the OAuth callback URL. |
| CVE-2025-14811 | 2026-03-13 | IBM Sterling Partner Engagement Manager 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to proce… |
| CVE-2025-13219 | 2026-03-10 | IBM Aspera Orchestrator 3.0.0 through 4.1.2 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, ref… |
| CVE-2025-41772 | 2026-03-09 | An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR. |
| CVE-2026-26196 | 2026-03-05 | Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and access_token, which can leak through logs, browser history, and refe… |
| CVE-2025-59873 | 2026-02-23 | An information exposure vulnerability exists in Vulnerability in HCL Software ZIE for Web. The application transmits sensitive session tokens and authentication identifiers within the URL query para… |
| CVE-2026-26721 | 2026-02-20 | An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter. |
| CVE-2025-69634 | 2026-02-12 | Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who ind… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Relationships |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Name |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Other_Notes |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Description, Name, Potential_Mitigations, Relationships |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Description |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Description, Diagram, Other_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Background_Details, Common_Consequences, Other_Notes, References, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Background_Details, Description, Name, Observed_Examples, Potential_Mitigations |
| Type | Name | Date | Comment |
|---|---|---|---|
| Content | Michal Biesiada | 2025-10-05 | Suggested OWASP reference and clarifying sensitive information details, ultimately leading to an addition to the CWE glossary. |
| Feedback | Jason Stangroome | 2025-12-27 | Suggested changes to remove emphasis on GET methods, which included a name change. |