Skip to main content

Qwik CVE-2024-41677

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-08-06 security-advisories@github.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 06, 2024 - 18:15 nvd
MEDIUM 6.1

DescriptionNVD

Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

Qwik is a performance focused javascript framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Qwik. Version information: version 1.6.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Qwik

View all
CVE-2026-27971 CRITICAL POC
9.8 Mar 03

RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.

CVE-2023-1283 CRITICAL POC
10.0 Mar 08

Code injection in Qwik framework before 0.21.0. PoC and patch available.

CVE-2026-25150 CRITICAL
9.3 Feb 03

Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code exec

CVE-2023-2307 MEDIUM POC
4.7 Apr 26

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

CVE-2026-32701 HIGH
7.5 Mar 20

Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData pa

CVE-2023-0410 MEDIUM
6.1 Jan 20

A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing

CVE-2026-25148 MEDIUM
6.1 Feb 03

Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attack

CVE-2026-25149 MEDIUM
6.1 Feb 03

Qwik versions up to 1.19.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

CVE-2026-25151 MEDIUM
5.9 Feb 03

Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]

CVE-2026-25155 MEDIUM
5.9 Feb 03

Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attac

Share

CVE-2024-41677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy