Qwik
Monthly
Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData parsing logic that affects versions prior to 1.19.2. Attackers can submit specially crafted form field names using mixed array-index and object-property keys (e.g., items.0 alongside items.toString or items.length) to inject malicious properties into objects the application expects to be arrays, leading to denial of service through malformed array states, oversized lengths, or request handling failures. The vulnerability has a CVSS score of 7.5 (High severity) with network-based exploitation requiring no authentication or user interaction, and a patch is available in version 1.19.2.
RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.
Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attackers to bypass Content-Type validation through crafted headers. An attacker can exploit this to perform cross-site request forgery (CSRF) attacks by manipulating how the application interprets request content types. A patch is available in version 1.12.0.
Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]
Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code execution in SSR applications.
Qwik versions up to 1.19.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attacks during server-side rendering, allowing attackers to inject malicious scripts that execute in users' browsers within the affected application context. The vulnerability requires user interaction and affects applications using vulnerable Qwik versions. A patch is available in version 1.19.0 and later.
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
Code injection in Qwik framework before 0.21.0. PoC and patch available.
A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing unauthenticated attackers to inject malicious scripts through user interaction. The vulnerability has a CVSS score of 6.1 (Medium) with low exploitation probability (EPSS 0.34%, 56th percentile), indicating limited real-world risk despite the XSS classification. A patch is available from the vendor, and no active exploitation or public POC has been widely documented.
Qwik, a performance-focused JavaScript framework, contains an array prototype pollution vulnerability in its FormData parsing logic that affects versions prior to 1.19.2. Attackers can submit specially crafted form field names using mixed array-index and object-property keys (e.g., items.0 alongside items.toString or items.length) to inject malicious properties into objects the application expects to be arrays, leading to denial of service through malformed array states, oversized lengths, or request handling failures. The vulnerability has a CVSS score of 7.5 (High severity) with network-based exploitation requiring no authentication or user interaction, and a patch is available in version 1.19.2.
RCE in Qwik JavaScript framework <= 1.19.0 via unsafe deserialization in server$ Runtime. EPSS 13.4% with PoC available.
Qwik versions prior to 1.12.0 contain a regular expression parsing error in the isContentType function that allows attackers to bypass Content-Type validation through crafted headers. An attacker can exploit this to perform cross-site request forgery (CSRF) attacks by manipulating how the application interprets request content types. A patch is available in version 1.12.0.
Qwik is a performance focused javascript framework. [CVSS 5.9 MEDIUM]
Qwik JavaScript framework prior to 1.19.0 has a prototype pollution vulnerability that can lead to server-side code execution in SSR applications.
Qwik versions up to 1.19.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
Improper serialization of virtual attributes in Qwik versions prior to 1.19.0 enables stored cross-site scripting attacks during server-side rendering, allowing attackers to inject malicious scripts that execute in users' browsers within the affected application context. The vulnerability requires user interaction and affects applications using vulnerable Qwik versions. A patch is available in version 1.19.0 and later.
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
Code injection in Qwik framework before 0.21.0. PoC and patch available.
A Cross-site Scripting (XSS) vulnerability exists in the Qwik framework (Node.js) prior to version 0.1.0-beta5, allowing unauthenticated attackers to inject malicious scripts through user interaction. The vulnerability has a CVSS score of 6.1 (Medium) with low exploitation probability (EPSS 0.34%, 56th percentile), indicating limited real-world risk despite the XSS classification. A patch is available from the vendor, and no active exploitation or public POC has been widely documented.