CVE-2026-27971

Critical CVSS: 9.2

Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.

Vendor

Qwik

Product

Qwik

CWE

CWE-502

Yayın Tarihi

2026-03-03 23:15:56

Güncelleme

2026-03-05 17:57:37

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-502 Qwik CRITICAL Qwik 2026

Referanslar

https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm

Benzer Kayıtlar

High

CVE-2026-32701

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form…

Medium

CVE-2026-25148

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwi…

Low

CVE-2026-25149

Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City…

Critical

CVE-2026-25150

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists…

Medium

CVE-2026-25151

Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inc…

Medium

CVE-2026-25155

Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isC…