What is the CVSS score of CVE-2023-0410?

CVE-2023-0410 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.3%.

Which versions of Qwik are affected by CVE-2023-0410?

Organizations using GitHub repository builderio/qwik should be aware of moderate risk from CVE-2023-0410, a cross-site scripting vulnerability rated CVSS 6.1.. A patch is available.

How to fix or mitigate CVE-2023-0410?

Within 30 days: Identify affected systems running GitHub repository builderio/qwik and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Qwik CVE-2023-0410

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2023-01-20 security@huntr.dev

GHSA-hm7f-rq7q-j9xp

XSS Qwik

6.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 13, 2026 - 19:30 vuln.today

Patch released

Mar 13, 2026 - 19:21 nvd

Patch available

CVE Published

Jan 20, 2023 - 01:15 nvd

MEDIUM 6.1

DescriptionCVE.org

Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.

AnalysisAI

A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing unauthenticated attackers to inject malicious scripts through user interaction. The vulnerability has a CVSS score of 6.1 (Medium) with low exploitation probability (EPSS 0.34%, 56th percentile), indicating limited real-world risk despite the XSS classification. A patch is available from the vendor, and no active exploitation or public POC has been widely documented.

Technical ContextAI

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting), affecting the Qwik framework (cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*) in its Node.js runtime environment. Qwik is a modern JavaScript framework focused on performance and resumability. The XSS flaw suggests improper input validation or output encoding in template rendering or component handling, allowing attackers to execute arbitrary JavaScript in the context of affected web applications built with vulnerable Qwik versions. The issue was likely in framework-level template processing or DOM manipulation code.

RemediationAI

Upgrade Qwik framework to version 0.1.0-beta5 or later; details: The vulnerability was patched in commit 4b2f89dbbd2bc0a2c92eae1a49bdd186e589151a on the builderio/qwik repository Mitigation: For applications unable to immediately patch, implement strict Content Security Policy (CSP) headers to limit the impact of XSS; details: CSP can prevent inline script execution and restrict script sources, reducing XSS impact severity

CVE-2023-0410 vulnerability details – vuln.today

Back