cbcvebase.

Qwikdev Qwik vulnerabilities

9 known vulnerabilities affecting qwikdev/qwik.

Total CVEs
9
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH2MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2026-27971P1CRITICALCVSS 9.8ExploitedPoCfixed in 1.19.12026-03-03
CVE-2026-27971 [CRITICAL] CWE-502 CVE-2026-27971: Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an uns Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerabilit
nvd
CVE-2026-25150P2CRITICALCVSS 10.0fixed in 1.19.02026-02-03
CVE-2026-25150 [CRITICAL] CWE-1321 CVE-2026-25150: Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution v Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __pro
nvd
CVE-2025-53620P3CRITICALCVSS 9.2fixed in 1.13.02025-07-09
CVE-2025-53620 [CRITICAL] CWE-248 CVE-2025-53620: @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it d @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerability is fixed in 1.13.0.
nvd
CVE-2026-32701P3HIGHCVSS 7.5fixed in 1.19.22026-03-20
CVE-2026-32701 [HIGH] CWE-843 CVE-2026-32701: Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arr Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be array
nvd
CVE-2026-25151P4MEDIUMCVSS 5.9fixed in 1.19.02026-02-03
CVE-2026-25151 [MEDIUM] CWE-352 CVE-2026-25151: Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in versi
nvd
CVE-2026-25155P4HIGHCVSS 7.1fixed in 1.12.02026-02-03
CVE-2026-25155 [HIGH] CWE-352 CVE-2026-25155: Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular e Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
nvd
CVE-2026-25149P4MEDIUMCVSS 6.1fixed in 1.19.02026-02-03
CVE-2026-25149 [MEDIUM] CWE-601 CVE-2026-25149: Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulner Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the tr
nvd
CVE-2026-25148P4MEDIUMCVSS 6.1fixed in 1.19.02026-02-03
CVE-2026-25148 [MEDIUM] CWE-79 CVE-2026-25148: Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's br
nvd
CVE-2024-41677P4MEDIUMCVSS 6.1[email protected]/qwik: < 1.7.3vqwik: < 1.6.02024-08-06
CVE-2024-41677 [MEDIUM] CWE-79 CVE-2024-41677: Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on
nvd
Qwikdev Qwik vulnerabilities | cvebase