CVE-2026-2391 — Improper Input Validation in Project QS
Severity
6.3MEDIUMNVD
EPSS
0.1%
top 81.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 12
Description
### Summary
The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).
### Details
When the `comma` option is set to `true` (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., `?…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected Packages2 packages
Patches
🔴Vulnerability Details
4OSV▶
CVE-2026-2391: ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to caus↗2026-02-12
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
5Bugzilla▶
CVE-2026-2391 python-torch: qs's arrayLimit bypass in comma parsing allows denial of service [fedora-42]↗2026-02-12
Bugzilla▶
CVE-2026-2391 python-torch: qs's arrayLimit bypass in comma parsing allows denial of service [fedora-43]↗2026-02-12
Bugzilla▶
CVE-2026-2391 nextcloud: qs's arrayLimit bypass in comma parsing allows denial of service [epel-10]↗2026-02-12
Bugzilla▶
CVE-2026-2391 nextcloud: qs's arrayLimit bypass in comma parsing allows denial of service [fedora-42]↗2026-02-12
Bugzilla▶
CVE-2026-2391 nextcloud: qs's arrayLimit bypass in comma parsing allows denial of service [fedora-43]↗2026-02-12