Skip to main content

Qwik CVE-2026-27971

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-03-03 security-advisories@github.com GHSA-p9x5-jp3h-96mm
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
PoC Detected
Mar 05, 2026 - 17:57 vuln.today
Public exploit code
CVE Published
Mar 03, 2026 - 23:15 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.

AnalysisAI

RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.

Technical ContextAI

CWE-502 in Qwik's server$ RPC mechanism. Unsafe deserialization of server function arguments.

RemediationAI

Update Qwik.

More in Qwik

View all
CVE-2023-1283 CRITICAL POC
10.0 Mar 08

Code injection in Qwik framework before 0.21.0. PoC and patch available.

CVE-2024-41677 MEDIUM POC
6.1 Aug 06

Qwik is a performance focused javascript framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp

CVE-2026-25150 CRITICAL
9.3 Feb 03

Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code exec

CVE-2023-2307 MEDIUM POC
4.7 Apr 26

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

CVE-2026-32701 HIGH
7.5 Mar 20

Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData pa

CVE-2023-0410 MEDIUM
6.1 Jan 20

A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing

CVE-2026-25148 MEDIUM
6.1 Feb 03

Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attack

CVE-2026-25149 MEDIUM
6.1 Feb 03

Qwik versions up to 1.19.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

CVE-2026-25151 MEDIUM
5.9 Feb 03

Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]

CVE-2026-25155 MEDIUM
5.9 Feb 03

Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attac

Share

CVE-2026-27971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy