CVE-2026-32701

| EUVD-2026-13639 HIGH
2026-03-20 GitHub_M GHSA-whhv-gg5v-864r
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 09:18 euvd
EUVD-2026-13639
Analysis Generated
Mar 20, 2026 - 09:18 vuln.today
CVE Published
Mar 20, 2026 - 08:52 nvd
HIGH 7.5

Tags

Memory Corruption Denial Of Service

Description

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path-such as items.toString, items.push, items.valueOf, or items.length-could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2.

Analysis

Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData parsing logic that affects versions prior to 1.19.2. Attackers can submit specially crafted form field names using mixed array-index and object-property keys (e.g., items.0 alongside items.toString or items.length) to inject malicious properties into objects the application expects to be arrays, leading to denial of service through malformed array states, oversized lengths, or request handling failures. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all applications using Qwik framework and identify those running versions prior to 1.19.2; immediately implement WAF rules to block malicious form field patterns (mixed array-index and object-property keys). Within 7 days: Upgrade all affected Qwik installations to version 1.19.2 or later; validate patch deployment across all environments. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Vendor Status

Debian

qwik
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

Share

CVE-2026-32701 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy