diff --git a/CHANGELOG.md b/CHANGELOG.md
index 97a4a71..7213b75 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,14 @@
 # cveClient Changelog
 
+## Version 1.0.25 — 2026-03-28
+- Bug: Bug fix in `cveClientlib.js` where query params such {active: false} will not work due to weak coercion
+- Updated `cveClientlib.js` to version 1.0.26, should support npm usage as well.
+
 ## Version 1.0.24 — 2026-03-28
 
-- Security: Fixed XSS vulnerability — use `.text()` instead of `.html()` for CVE ID in modal title
-- Security: Prevent plaintext API key storage and harden encryption key handling
-- Security: Added prototype pollution protection to `queryParser` and removed sensitive logging
+- Security: Fixed XSS vulnerability — use `.text()` instead of `.html()` for CVE ID in modal title CVE-2026-35466
+- Security: Prevent plaintext API key storage and harden encryption key handling CVE-2026-35467
+- Security: Added prototype pollution protection to `queryParser` and removed sensitive logging CVE-2026-35466
 - Updated SweetAlert2 from 11.4.9 to 11.26.24
 - Made schema references version-agnostic with automatic schema version detection
 - Added ADP (Authorized Data Publisher) read and delete support
diff --git a/cveClientlib.js b/cveClientlib.js
index 4fcca59..d522c04 100644
--- a/cveClientlib.js
+++ b/cveClientlib.js
@@ -5,7 +5,30 @@ class cveClient {
 	this.key = key;
 	this.url = url;
 	this.user_path = "/org/" + this.org + "/user/" + this.user;
-	this._version = "1.0.25";
+	this._version = "1.0.26";
+    }
+    /* Safely build query string */
+    _buildQuery(qvars) {
+	if (!qvars) return "";
+
+	const params = new URLSearchParams();
+
+	Object.entries(qvars).forEach(([key, val]) => {
+            /* Skip only null/undefined */
+            if (val == null) return;
+            /* Handle arrays (common in APIs) */
+            if (Array.isArray(val)) {
+		val.forEach(v => {
+                    if (v != null) params.append(key, String(v));
+		});
+		return;
+            }
+
+            /* Normalize everything else */
+            params.append(key, String(val));
+	});
+
+	return params.toString();
     }
     /* PUT /cve/{id}/adp — the only ADP endpoint per CVE Services API spec
        See https://cveawg.mitre.org/api-docs/ */
@@ -139,21 +162,13 @@ class cveClient {
 	if(!opts) {
 	    opts = {method:'GET'};
 	}
-	if(qvars) { 
-	    var qstr = new URLSearchParams();
-	    Object.keys(qvars).forEach(function(x) {
-		/* Remove empty values in query_string 
-		   strange issue #11 when changing user's information
-		   see https://github.com/CERTCC/cveClient/issues/11
-		 */
-		if(qvars[x] != "") 
-		    qstr.append(x,qvars[x]);
-	    });
-	    url.search = qstr.toString();
+	const qs = this._buildQuery(qvars);
+	if (qs) {
+            url.search = qs;
 	}
 	if(!('headers' in opts))
 	    opts.headers = {};	
-	opts.headers = Object.assign({},opts.headers,
+	opts.headers = Object.assign({}, opts.headers || {},
 				     {'CVE-API-KEY': this.key,
 				      'CVE-API-ORG': this.org,
 				      'CVE-API-USER': this.user });