cbcvebase.
CVE-2026-25151
published 2026-02-03

CVE-2026-25151: Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request…

PriorityP434medium5.9CVSS 3.1
AVNACHPRNUIRSUCLIHAN
EPSS
0.16%
5.5th percentile
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
builder.ioqwik-city>= 0 < 1.19.01.19.0
qwikqwik< 1.19.01.19.0
qwikdevqwik< 1.19.01.19.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.