How to fix CVE-2023-0410?

Within 30 days: Identify affected systems running GitHub repository builderio/qwik and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Is Qwik affected by CVE-2023-0410?

Organizations using GitHub repository builderio/qwik should be aware of moderate risk from CVE-2023-0410, a cross-site scripting vulnerability rated CVSS 6.1. Attackers could inject scripts to steal sessions or perform actions as authenticated users.

CVE-2023-0410

MEDIUM

2023-01-20 [email protected]

GHSA-hm7f-rq7q-j9xp

6.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 19:30 vuln.today

Patch Released

Mar 13, 2026 - 19:21 nvd

Patch available

CVE Published

Jan 20, 2023 - 01:15 nvd

MEDIUM 6.1

Description

Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.

Analysis

A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing unauthenticated attackers to inject malicious scripts through user interaction. The vulnerability has a CVSS score of 6.1 (Medium) with low exploitation probability (EPSS 0.34%, 56th percentile), indicating limited real-world risk despite the XSS classification. A patch is available from the vendor, and no active exploitation or public POC has been widely documented.

Technical Context

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting), affecting the Qwik framework (cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*) in its Node.js runtime environment. Qwik is a modern JavaScript framework focused on performance and resumability. The XSS flaw suggests improper input validation or output encoding in template rendering or component handling, allowing attackers to execute arbitrary JavaScript in the context of affected web applications built with vulnerable Qwik versions. The issue was likely in framework-level template processing or DOM manipulation code.

Affected Products

Qwik Framework (All versions prior to 0.1.0-beta5); Qwik Framework

Remediation

Upgrade Qwik framework to version 0.1.0-beta5 or later; details: The vulnerability was patched in commit 4b2f89dbbd2bc0a2c92eae1a49bdd186e589151a on the builderio/qwik repository Mitigation: For applications unable to immediately patch, implement strict Content Security Policy (CSP) headers to limit the impact of XSS; details: CSP can prevent inline script execution and restrict script sources, reducing XSS impact severity

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +30

POC: 0

CVE-2023-0410 vulnerability details – vuln.today

Back

CVE-2023-0410

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2023-0410

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code