VariantDraft

CWE-598Use of HTTP Request With Sensitive Query String

Category: data-exposure

Description

The web application uses an HTTP method to process a request, but the request includes sensitive information in the query string.

Common consequences· 1

  • Confidentiality — Read Application Data

Potential mitigations· 1

  • [Implementation]When sending sensitive information, only include it in the request body or request headers instead of the query string. This may require avoiding use of GET requests.

References

  1. https://cwe.mitre.org/data/definitions/598.html

(incoming)6

TypeTargetConfidenceTier
VulnerabilityCVE-2025-50110cve-2025-501100%live
VulnerabilityCVE-2025-56551cve-2025-565510%live
VulnerabilityCVE-2025-57800cve-2025-578000%live
VulnerabilityCVE-2025-69270cve-2025-692700%live
VulnerabilityCVE-2025-69634cve-2025-696340%live
VulnerabilityCVE-2026-23846cve-2026-238460%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Cross-Site Request Forgery (CSRF)
CWE
Direct Request ('Forced Browsing')
CWE
Improper Neutralization of Encoded URI Schemes in a Web Page
CWE
Insertion of Sensitive Information Into Sent Data
CWE
Server-Side Request Forgery (SSRF)
CWE
Use of Web Browser Cache Containing Sensitive Information
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.