What is CVE-2026-2391?

A medium-severity vulnerability in the qs library allows attackers to exploit the `arrayLimit` option's bypass, leading to potential denial-of-service. Immediate patching is recommended.

What is the severity of CVE-2026-2391?

CVE-2026-2391 has a severity rating of MEDIUM with a CVSS base score of 6.3.

CVE-2026-2391 | Medium Vulnerability in qs

The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284).

When the `comma` option is set to `true` (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` becomes `['a', 'b', 'c']`). However, the limit check for `arrayLimit` (default: 20) and the optional throwOnLimitExceeded occur after the comma-handling logic in `parseArrayValue`, enabling a bypass. This permits creation of arbitrarily large arrays from a single parameter, leading to excessive memory allocation.

The vulnerable code allows attackers to send a single parameter with millions of commas (e.g., `?param=,,,,,,,,...`), allocating massive arrays in memory without triggering limits. It bypasses the intent of `arrayLimit`, which is enforced correctly for indexed (`a[0]=`) and bracket (`a[]=`) notations.

Risk to organizations includes denial of service through memory exhaustion, which could affect application availability and performance.

Organizations should prioritize patching immediately.

Vulnerability Details

The CVE-2026-2391 vulnerability affects the `qs` library by allowing an attacker to bypass the `arrayLimit` option when handling comma-separated values. This leads to potential denial-of-service through memory exhaustion.

CVSS score is 6.3, classified as medium severity. The vulnerability is exploitable over the network with low complexity and requires no privileges or user interaction.

The affected version is `qs` from version 6.7.0 to 6.14.2.

Published on February 12, 2026.

Technical Analysis

The root cause of this vulnerability lies in the order of operations within the `parseArrayValue` function of the `qs` library. The `split(',')` method returns the array immediately, causing the subsequent `arrayLimit` check to be skipped.

The attack vector is over the network with low attack complexity, meaning the exploit can be executed with minimal effort. There are no privileges required, nor is user interaction necessary to trigger the vulnerability.

While the confidentiality and integrity impacts are none, the availability impact is low as it can lead to a denial-of-service situation.

Risk & Impact Analysis

Real-world deployment risk includes the potential for attackers to exploit this vulnerability to exhaust server memory, leading to application crashes or degraded performance. The blast radius could vary significantly based on the application architecture and server resources, which may allow for widespread disruption.

With a CVSS score of 6.3, it is categorized as medium severity, indicating organizations should address in priority patch cycle.

Organizations should be proactive in their security posture to mitigate the risks associated with this vulnerability.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerable versions of the `qs` library are those from version 6.7.0 to 6.14.2.

Mitigation & Remediation

To mitigate this vulnerability, it is recommended to upgrade to a patched version of the `qs` library. Users should check the official GitHub repository for the latest fixes.

Organizations may also consider implementing input validation to limit the size of incoming parameters and prevent excessive memory allocation.

Continuous penetration testing can help identify weaknesses related to this vulnerability and others.

Detection Guidance

Monitoring for unusual memory usage patterns or crashes related to applications utilizing the `qs` library can be beneficial in detecting potential exploitation attempts.

Log indicators should be established to track the size of incoming parameters and any associated processing errors.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of rigorous input validation practices, especially when handling user-supplied data that may affect application performance.

Security teams should prioritize the assessment of libraries in use to ensure they are not susceptible to similar vulnerabilities.

For further insights into securing applications, organizations can refer to the following resources:

Vulnerability management program design and penetration testing methodology can provide additional strategies for securing applications.

API penetration testing guide is also a valuable resource for teams focusing on API security.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-2391: Medium Vulnerability in qs_project qs