cbcvebase.
CVE-2026-27971
published 2026-03-03

CVE-2026-27971: Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.63%
90.6th percentile
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
builder.ioqwik>= 0 < 1.19.11.19.1
qwikqwik< 1.19.11.19.1
qwikdevqwik< 1.19.11.19.1

Detection & IOCsextracted from sources · hover to see the quote

url/?qfunc=sync
otherContent-Type: application/qwik-json
otherX-QRL: sync
other{"_objs":["\u0002./node_modules/cross-spawn/index#sync","cat","/etc/passwd",["2"],["0","1","3"]],"_entry":"4"}
path./node_modules/cross-spawn/index#sync
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Qwik Unauthenticated RCE via server$ Deserialization (CVE-2026-27971)"; flow:established,to_server; http.uri; content:"qfunc|3d|sync"; fast_pattern; http.header; to_lowercase; content:"x-qrl|3a 20|"; http.request_body; content:"|22|_objs|22 3a|"; http.method; content:"POST"; reference:url,vulnerabletarget.com/detail.html?id=vt-2026-27971; reference:cve,2026-27971; classtype:web-application-attack; sid:2068291; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2026_03_17, cve CVE_2026_27971, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect exploit attempts by matching POST requests to URIs containing 'qfunc=sync', with header 'X-QRL: sync' and request body containing '_objs'
  • Shodan/FOFA fingerprint for exposed Qwik instances: search for 'q:version' in HTTP response body
  • Exploit payload abuses the server$ RPC deserialization mechanism via the _objs array, referencing the cross-spawn module to achieve arbitrary command execution
  • ·Exploitation requires that require() is available at runtime on the target deployment
  • ·The Snort/Suricata rule (sid:2068291) is designed for perimeter, internal, and SSLDecrypt deployments; TLS-encrypted traffic requires decryption (TLSDecrypt) for the rule to fire

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.