CVE-2026-8723

Voidly

NIST · via Voidly Atlas

CVE-2026-8723

This is the agency's own public-domain data, curated and made citable by Voidly. Voidly adds no independent claim — always verify against the linked canonical source.

cve id

CVE-2026-8723

published

2026-05-17T00:16:21.233

last modified

2026-05-17T00:16:21.233

status

Received

description

### Summary `qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`). ### Details In the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining: ```js obj = utils.maybeMap(obj, encoder); ``` `utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run. Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d ("encode comma values more consistently", PR #463, 2023-01-19), first released in v6.11.1. #### PoC ```js const qs = require('qs'); qs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true }); qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: t

cvss score

5.3

cvss severity

MEDIUM

cvss vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

cwes

CWE-476

cpe count

0

Verify at NIST National Vulnerability Database ↗

Cite this record

CVE-2026-8723 — MEDIUM. NIST, via Voidly Atlas — Surveillance & Digital-Rights Watch. Retrieved 2026-06-07, https://voidly.ai/atlas/federal/nvd-cves/CVE-2026-8723

@misc{voidly_nvd_cves_CVE20268723,
  title        = {CVE-2026-8723 — MEDIUM},
  author       = {{Voidly}},
  howpublished = {\url{https://voidly.ai/atlas/federal/nvd-cves/CVE-2026-8723}},
  note         = {Source: NIST National Vulnerability Database, https://nvd.nist.gov/vuln/detail/CVE-2026-8723. Public domain (17 U.S.C. §105); re-surfaced under CC BY 4.0},
  urldate      = {2026-06-07},
  year         = {2026}
}

Also available as JSON/BibTeX/APA: API record. Source data is U.S. federal public domain (17 U.S.C. §105). Re-surfaced by Voidly under CC BY 4.0.