Aggregates CVE and security vulnerability intelligence across all qwik-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk csrf and vendor risk open redirect and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-32701 | Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items. | [email protected] | 7.5 | 0.02% | 2026-03-20 | 2026-03-23 |
| CVE-2026-27971 | Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1. | [email protected] | 9.2 | 26.17% | 2026-03-03 | 2026-03-05 |
| CVE-2026-25155 | Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0. | [email protected] | 5.9 | 0.01% | 2026-02-03 | 2026-02-10 |
| CVE-2026-25151 | Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0. | [email protected] | 5.9 | 0.01% | 2026-02-03 | 2026-02-10 |
| CVE-2026-25150 | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially l | [email protected] | 9.3 | 0.05% | 2026-02-03 | 2026-02-10 |
| CVE-2026-25149 | Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0. | [email protected] | 2.7 | 0.01% | 2026-02-03 | 2026-02-10 |
| CVE-2026-25148 | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0. | [email protected] | 5.3 | 0.02% | 2026-02-03 | 2026-02-10 |
| CVE-2024-41677 | Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known | [email protected] | 6.3 | 0.61% | 2024-08-06 | 2024-08-12 |
| CVE-2023-2307 | Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0. | [email protected] | 4.7 | 0.17% | 2023-04-26 | 2026-03-13 |
| CVE-2023-1283 | Code Injection in GitHub repository builderio/qwik prior to 0.21.0. | [email protected] | 10.0 | 0.27% | 2023-03-08 | 2026-03-13 |
| CVE-2023-0410 | Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5. | [email protected] | 6.1 | 0.34% | 2023-01-20 | 2026-03-13 |