Refine your search
9 vulnerabilities found for qwik by QwikDev
CVE-2026-32701 (GCVE-0-2026-32701)
Vulnerability from cvelistv5
Published
2026-03-20 08:52
Modified
2026-03-20 12:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T12:07:03.359174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T12:07:39.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path\u2014such as items.toString, items.push, items.valueOf, or items.length\u2014could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843: Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T08:52:41.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-whhv-gg5v-864r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-whhv-gg5v-864r"
},
{
"name": "https://github.com/QwikDev/qwik/commit/7b5867c3dd8925df9aa96c4296b1e95a4c2af87d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/commit/7b5867c3dd8925df9aa96c4296b1e95a4c2af87d"
}
],
"source": {
"advisory": "GHSA-whhv-gg5v-864r",
"discovery": "UNKNOWN"
},
"title": "Qwik has array method pollution in FormData processing, allowing type confusion and DoS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32701",
"datePublished": "2026-03-20T08:52:41.149Z",
"dateReserved": "2026-03-13T14:33:42.823Z",
"dateUpdated": "2026-03-20T12:07:39.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27971 (GCVE-0-2026-27971)
Vulnerability from cvelistv5
Published
2026-03-03 22:55
Modified
2026-03-04 16:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27971",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:05:33.671118Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:05:45.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance focused javascript framework. qwik \u003c=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T22:55:38.064Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm"
}
],
"source": {
"advisory": "GHSA-p9x5-jp3h-96mm",
"discovery": "UNKNOWN"
},
"title": "Qwik affected by unauthenticated RCE via server$ Deserialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27971",
"datePublished": "2026-03-03T22:55:38.064Z",
"dateReserved": "2026-02-25T03:24:57.793Z",
"dateUpdated": "2026-03-04T16:05:45.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25150 (GCVE-0-2026-25150)
Vulnerability from cvelistv5
Published
2026-02-03 21:12
Modified
2026-02-04 16:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Summary
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T16:31:38.732304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:31:46.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T21:12:50.417Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq"
},
{
"name": "https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7"
}
],
"source": {
"advisory": "GHSA-xqg6-98cw-gxhq",
"discovery": "UNKNOWN"
},
"title": "Prototype Pollution via FormData Processing in Qwik City"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25150",
"datePublished": "2026-02-03T21:12:50.417Z",
"dateReserved": "2026-01-29T15:39:11.821Z",
"dateUpdated": "2026-02-04T16:31:46.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25148 (GCVE-0-2026-25148)
Vulnerability from cvelistv5
Published
2026-02-03 21:12
Modified
2026-02-04 16:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T16:58:25.313003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:58:39.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js\u0027 server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim\u0027s browser in the context of the affected origin. This issue has been patched in version 1.19.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T21:12:38.016Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c"
},
{
"name": "https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094"
}
],
"source": {
"advisory": "GHSA-m6jq-g7gq-5w3c",
"discovery": "UNKNOWN"
},
"title": "Qwik SSR XSS via Unsafe Virtual Node Serialization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25148",
"datePublished": "2026-02-03T21:12:38.016Z",
"dateReserved": "2026-01-29T15:39:11.821Z",
"dateUpdated": "2026-02-04T16:58:39.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25151 (GCVE-0-2026-25151)
Vulnerability from cvelistv5
Published
2026-02-03 21:12
Modified
2026-02-04 16:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T16:59:07.707722Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:59:15.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City\u2019s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T21:12:25.699Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f"
},
{
"name": "https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed"
}
],
"source": {
"advisory": "GHSA-r666-8gjf-4v5f",
"discovery": "UNKNOWN"
},
"title": "Qwik City has a CSRF Protection Bypass via Content-Type Header Validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25151",
"datePublished": "2026-02-03T21:12:25.699Z",
"dateReserved": "2026-01-29T15:39:11.821Z",
"dateUpdated": "2026-02-04T16:59:15.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25155 (GCVE-0-2026-25155)
Vulnerability from cvelistv5
Published
2026-02-03 21:12
Modified
2026-02-04 16:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T16:59:49.112641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:59:56.030Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T21:12:13.235Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22x8"
},
{
"name": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75"
}
],
"source": {
"advisory": "GHSA-vm6g-8r4h-22x8",
"discovery": "UNKNOWN"
},
"title": "[qwik-city] CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25155",
"datePublished": "2026-02-03T21:12:13.235Z",
"dateReserved": "2026-01-29T15:39:11.822Z",
"dateUpdated": "2026-02-04T16:59:56.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25149 (GCVE-0-2026-25149)
Vulnerability from cvelistv5
Published
2026-02-03 21:11
Modified
2026-02-04 19:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T19:59:21.273728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:59:30.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City\u0027s default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T21:11:55.902Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m"
},
{
"name": "https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed"
}
],
"source": {
"advisory": "GHSA-92j7-wgmg-f32m",
"discovery": "UNKNOWN"
},
"title": "Qwik City Open Redirect via fixTrailingSlash"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25149",
"datePublished": "2026-02-03T21:11:55.902Z",
"dateReserved": "2026-01-29T15:39:11.821Z",
"dateUpdated": "2026-02-04T19:59:30.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53620 (GCVE-0-2025-53620)
Vulnerability from cvelistv5
Published
2025-07-09 18:45
Modified
2025-07-09 19:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-248 - Uncaught Exception
Summary
@builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerability is fixed in 1.13.0.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53620",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T19:14:06.353867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T19:14:41.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T18:45:28.947Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-qr9h-j6xg-2j72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-qr9h-j6xg-2j72"
}
],
"source": {
"advisory": "GHSA-qr9h-j6xg-2j72",
"discovery": "UNKNOWN"
},
"title": "Crashing any Qwik Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53620",
"datePublished": "2025-07-09T18:45:28.947Z",
"dateReserved": "2025-07-07T14:20:38.386Z",
"dateUpdated": "2025-07-09T19:14:41.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41677 (GCVE-0-2024-41677)
Vulnerability from cvelistv5
Published
2024-08-06 17:52
Modified
2024-08-08 19:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:qwikdev:qwik:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "qwik",
"vendor": "qwikdev",
"versions": [
{
"lessThan": "1.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41677",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T19:02:06.566486Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T19:04:29.078Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "qwik",
"vendor": "QwikDev",
"versions": [
{
"status": "affected",
"version": "@builder.io/qwik: \u003c 1.7.3"
},
{
"status": "affected",
"version": "qwik: \u003c 1.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T17:52:14.648Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4"
},
{
"name": "https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e"
},
{
"name": "https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208"
}
],
"source": {
"advisory": "GHSA-2rwj-7xq8-4gx4",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41677",
"datePublished": "2024-08-06T17:52:14.648Z",
"dateReserved": "2024-07-18T15:21:47.486Z",
"dateUpdated": "2024-08-08T19:04:29.078Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}