MEDIUM
ljharb
CVE published 2026-05-17
CVE-2026-8723
CVE-2026-8723 describes a denial-of-service style reliability bug in qs: when qs.stringify is called with arrayFormat:"comma" and encodeValuesOnly:true, a null or undefined element inside an array can trigger a synchronous TypeError instead of producing a query string. The issue is fixed in v6.15.2.