Qwik
CVE-2026-27971
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
AnalysisAI
RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.
Technical ContextAI
CWE-502 in Qwik's server$ RPC mechanism. Unsafe deserialization of server function arguments.
RemediationAI
Update Qwik.
Code injection in Qwik framework before 0.21.0. PoC and patch available.
Qwik is a performance focused javascript framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp
Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code exec
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData pa
A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing
Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attack
Qwik versions up to 1.19.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]
Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attac
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p9x5-jp3h-96mm