CVE-2026-25150

Critical CVSS: 9.3

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.

Vendor

Qwik

Product

Qwik

CWE

CWE-1321

Yayın Tarihi

2026-02-03 22:16:30

Güncelleme

2026-02-10 20:10:16

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-1321 Qwik CRITICAL Qwik 2026

Referanslar

https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7 https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq

Benzer Kayıtlar

High

CVE-2026-32701

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form…

Critical

CVE-2026-27971

Qwik is a performance focused javascript framework. qwik

Medium

CVE-2026-25148

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwi…

Low

CVE-2026-25149

Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City…

Medium

CVE-2026-25151

Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inc…

Medium

CVE-2026-25155

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isC…