CVE-2026-27971
published 2026-03-03CVE-2026-27971: Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.63%
90.6th percentile
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| builder.io | qwik | >= 0 < 1.19.1 | 1.19.1 |
| qwik | qwik | < 1.19.1 | 1.19.1 |
| qwikdev | qwik | < 1.19.1 | 1.19.1 |
Detection & IOCsextracted from sources · hover to see the quote
other{"_objs":["\u0002./node_modules/cross-spawn/index#sync","cat","/etc/passwd",["2"],["0","1","3"]],"_entry":"4"}↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Qwik Unauthenticated RCE via server$ Deserialization (CVE-2026-27971)"; flow:established,to_server; http.uri; content:"qfunc|3d|sync"; fast_pattern; http.header; to_lowercase; content:"x-qrl|3a 20|"; http.request_body; content:"|22|_objs|22 3a|"; http.method; content:"POST"; reference:url,vulnerabletarget.com/detail.html?id=vt-2026-27971; reference:cve,2026-27971; classtype:web-application-attack; sid:2068291; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2026_03_17, cve CVE_2026_27971, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect exploit attempts by matching POST requests to URIs containing 'qfunc=sync', with header 'X-QRL: sync' and request body containing '_objs' ↗
- →Shodan/FOFA fingerprint for exposed Qwik instances: search for 'q:version' in HTTP response body ↗
- →Exploit payload abuses the server$ RPC deserialization mechanism via the _objs array, referencing the cross-spawn module to achieve arbitrary command execution ↗
- ·Exploitation requires that require() is available at runtime on the target deployment ↗
- ·The Snort/Suricata rule (sid:2068291) is designed for perimeter, internal, and SSLDecrypt deployments; TLS-encrypted traffic requires decryption (TLSDecrypt) for the rule to fire ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization
ghsa·2026-03-02
CVE-2026-27971 [CRITICAL] CWE-502 Qwik vulnerable to Unauthenticated RCE via server$ Deserialization
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization
### Summary
qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the `server$` RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where `require()` is available at runtime.
### Impact
- Remote Code Execution
OSV
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization
osv·2026-03-02
CVE-2026-27971 [CRITICAL] Qwik vulnerable to Unauthenticated RCE via server$ Deserialization
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization
### Summary
qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the `server$` RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where `require()` is available at runtime.
### Impact
- Remote Code Execution
VulnCheck
qwik qwik Deserialization of Untrusted Data
vulncheck·2026·CVSS 9.2
CVE-2026-27971 [CRITICAL] qwik qwik Deserialization of Untrusted Data
qwik qwik Deserialization of Untrusted Data
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
Affected: qwik qwik
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2026-27971
Suricata
ET WEB_SPECIFIC_APPS Qwik Unauthenticated RCE via server$ Deserialization (CVE-2026-27971)
suricata·2026-03-17·CVSS 9.2
CVE-2026-27971 [CRITICAL] ET WEB_SPECIFIC_APPS Qwik Unauthenticated RCE via server$ Deserialization (CVE-2026-27971)
ET WEB_SPECIFIC_APPS Qwik Unauthenticated RCE via server$ Deserialization (CVE-2026-27971)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Qwik Unauthenticated RCE via server$ Deserialization (CVE-2026-27971)"; flow:established,to_server; http.uri; content:"qfunc|3d|sync"; fast_pattern; http.header; to_lowercase; content:"x-qrl|3a 20|"; http.request_body; content:"|22|_objs|22 3a|"; http.method; content:"POST"; reference:url,vulnerabletarget.com/detail.html?id=vt-2026-27971; reference:cve,2026-27971; classtype:web-application-attack; sid:2068291; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2026_03_17, cve CVE_2026_27971, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit,
Nuclei
Qwik - Unauthenticated RCE via server$ Deserialization
nuclei·CVSS 9.2
CVE-2026-27971 [CRITICAL] Qwik - Unauthenticated RCE via server$ Deserialization
Qwik - Unauthenticated RCE via server$ Deserialization
Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.
Template:
id: CVE-2026-27971
info:
name: Qwik - Unauthenticated RCE via server$ Deserialization
author: omarkurt
severity: critical
description: |
Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.
impact: |
Unauthenticated attackers can execute arbitrary code on the server, leading to full system compromise.
remediation: |
Update to version 1.19.1 or later.
ref
2026-03-03
Published
Exploited in the wild