Qwik
Monthly
RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.
Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attackers to bypass Content-Type validation through crafted headers. An attacker can exploit this to perform cross-site request forgery (CSRF) attacks by manipulating how the application interprets request content types. A patch is available in version 1.12.0.
Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]
Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code execution in SSR applications.
Qwik versions up to 1.19.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attacks during server-side rendering, allowing attackers to inject malicious scripts that execute in users' browsers within the affected application context. The vulnerability requires user interaction and affects applications using vulnerable Qwik versions. A patch is available in version 1.19.0 and later.
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
Code injection in Qwik framework before 0.21.0. PoC and patch available.
A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing unauthenticated attackers to inject malicious scripts through user interaction. The vulnerability has a CVSS score of 6.1 (Medium) with low exploitation probability (EPSS 0.34%, 56th percentile), indicating limited real-world risk despite the XSS classification. A patch is available from the vendor, and no active exploitation or public POC has been widely documented.
RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.
Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attackers to bypass Content-Type validation through crafted headers. An attacker can exploit this to perform cross-site request forgery (CSRF) attacks by manipulating how the application interprets request content types. A patch is available in version 1.12.0.
Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]
Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code execution in SSR applications.
Qwik versions up to 1.19.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attacks during server-side rendering, allowing attackers to inject malicious scripts that execute in users' browsers within the affected application context. The vulnerability requires user interaction and affects applications using vulnerable Qwik versions. A patch is available in version 1.19.0 and later.
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
Code injection in Qwik framework before 0.21.0. PoC and patch available.
A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing unauthenticated attackers to inject malicious scripts through user interaction. The vulnerability has a CVSS score of 6.1 (Medium) with low exploitation probability (EPSS 0.34%, 56th percentile), indicating limited real-world risk despite the XSS classification. A patch is available from the vendor, and no active exploitation or public POC has been widely documented.