CVE-2026-8723
medium
CVSS v3
5.3
CVSS v2
—
VIR risk
5.3
Description
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
Predictions
Exploit likelihood
63%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-8723
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
References
- https://github.com/ljharb/qs/commit/21f80b33e5c8b3f7eba1034fff0da4a4a37a1d41
- https://github.com/ljharb/qs/security/advisories/GHSA-q8mj-m7cp-5q26
- https://nvd.nist.gov/vuln/detail/CVE-2026-8723
- https://github.com/ljharb/qs
- https://security-tracker.debian.org/tracker/CVE-2026-8723
- https://github.com/advisories/GHSA-q8mj-m7cp-5q26
CWEs
CWE-476
Verify integrity in audit chain (admin only). AS-IS.