{"schema":"voidly-atlas-federal-record/v1","dataset":"nvd-cves","agency":"NIST","source":"NIST National Vulnerability Database","provider":"Voidly","license":"Source data is U.S. federal public domain (17 U.S.C. §105). Re-surfaced by Voidly under CC BY 4.0.","disclaimer":"This is the agency's own public-domain data, curated and made citable by Voidly. Voidly adds no independent claim — always verify against the linked canonical source.","generated_at":"2026-06-07T04:54:44.082Z","record":{"id":"CVE-2026-8723","cve_id":"CVE-2026-8723","published":"2026-05-17T00:16:21.233","last_modified":"2026-05-17T00:16:21.233","status":"Received","description":"### Summary\n\n\n\n`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).\n\n\n\n### Details\n\n\n\nIn the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining:\n\n\n\n```js\n\n\n\nobj = utils.maybeMap(obj, encoder);\n\n\n\n```\n\n\n\n`utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run.\n\n\n\nSame class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d (\"encode comma values more consistently\", PR #463, 2023-01-19), first released in v6.11.1.\n\n\n\n#### PoC\n\n\n\n```js\n\n\n\nconst qs = require('qs');\n\n\n\nqs.stringify({ a: [null, 'b'] },      { arrayFormat: 'comma', encodeValuesOnly: true });\n\n\n\nqs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: t","cvss_score":5.3,"cvss_severity":"MEDIUM","cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","cwes":"CWE-476","cpe_count":0,"source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8723","voidly_url":"https://voidly.ai/atlas/federal/nvd-cves/CVE-2026-8723"},"citation":{"voidly_url":"https://voidly.ai/atlas/federal/nvd-cves/CVE-2026-8723","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8723","recommended":"CVE-2026-8723 — MEDIUM. NIST, via Voidly Atlas — Surveillance & Digital-Rights Watch. Retrieved 2026-06-07, https://voidly.ai/atlas/federal/nvd-cves/CVE-2026-8723","ris":"TY  - DATA\nTI  - CVE-2026-8723 — MEDIUM\nAU  - Voidly\nT2  - Voidly Atlas — Surveillance & Digital-Rights Watch\nPB  - Voidly\nPY  - 2026\nUR  - https://voidly.ai/atlas/federal/nvd-cves/CVE-2026-8723\nN1  - Source: NIST National Vulnerability Database, https://nvd.nist.gov/vuln/detail/CVE-2026-8723. Public domain (17 U.S.C. §105); re-surfaced under CC BY 4.0\nER  - ","apa":"Voidly. (2026). CVE-2026-8723 — MEDIUM [NIST National Vulnerability Database]. Voidly Atlas. Retrieved 2026-06-07, from https://voidly.ai/atlas/federal/nvd-cves/CVE-2026-8723","bibtex":"@misc{voidly_nvd_cves_CVE20268723,\n  title        = {CVE-2026-8723 — MEDIUM},\n  author       = {{Voidly}},\n  howpublished = {\\url{https://voidly.ai/atlas/federal/nvd-cves/CVE-2026-8723}},\n  note         = {Source: NIST National Vulnerability Database, https://nvd.nist.gov/vuln/detail/CVE-2026-8723. Public domain (17 U.S.C. §105); re-surfaced under CC BY 4.0},\n  urldate      = {2026-06-07},\n  year         = {2026}\n}"},"_voidly_pay":{"claim_did":"https://voidly.ai/pay/claim","for_builders":"https://voidly.ai/pay/for-builders","marketplace":"https://api.voidly.ai/v1/pay/marketplace","live_demo":"https://huggingface.co/spaces/emperor-mew/voidly-pay","universal_proxy":{"url":"https://api.voidly.ai/v1/pay/proxy","example":"https://api.voidly.ai/v1/pay/proxy?u=<https-url>&to=did:voidly:<your-did>&price=0.01","page":"https://voidly.ai/pay/proxy","note":"Paywall any public HTTPS URL with one query param. No SDK install required."},"install":{"typescript":"npm install @voidly/pay","python":"pip install voidly-pay","langchain":"pip install voidly-pay-langchain","vercel_ai":"npm install @voidly/pay-vercel-ai","mcp":"npx @voidly/pay-mcp","cli":"npm install -g @voidly/pay-cli"},"note":"Voidly Pay is the open agent-to-agent payment rail. Claim a DID + 10 starter credits in 60s, or paywall any URL via the universal proxy with one query param."}}