26 matches found
VulnCheck KEV: CVE-2026-27971
Qwik is a performance focused javascript framework. qwik =1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where...
EUVD-2026-13639
Qwik City has array method pollution in FormData processing allows type confusion and DoS...
CVE-2026-32701
Qwik (JavaScript framework) contains a vulnerability in FormData parsing prior to version 1.19.2. When processing application/x-www-form-urlencoded or multipart/form-data, dotted field names (e.g., items.0, items.1) are converted into nested structures. If a path is interpreted as an array, attac...
CVE-2026-32701
Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...
CVE-2026-32701 Qwik has array method pollution in FormData processing, allowing type confusion and DoS
Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...
CVE-2026-27971
Qwik is a performance focused javascript framework. qwik =1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where...
CVE-2026-27971
Qwik is a performance focused javascript framework. qwik =1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where...
CVE-2026-27971 Qwik affected by unauthenticated RCE via server$ Deserialization
Qwik is a performance focused javascript framework. qwik =1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where...
EUVD-2026-9345
Qwik is a performance focused javascript framework. qwik =1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where...
Qwik 代码问题漏洞
Qwik is a micro-web framework developed by Qwik Dev. Versions of Qwik 1.19.0 and earlier contained code vulnerabilities. These vulnerabilities stemmed from the insecure deserialization in the server$ RPC mechanism, allowing any unverified user to execute arbitrary code on the server through a...
PT-2026-22844
Name of the Vulnerable Software and Affected Versions Qwik versions up to and including 1.19.0 Description Qwik is susceptible to Remote Code Execution RCE due to an unsafe deserialization issue within the server$ RPC mechanism. This allows any unauthenticated user to execute arbitrary code on th...
CVE-2026-25155
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0...
CVE-2026-25148
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successfu...
CVE-2026-25155
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0...
CVE-2026-25148
Summary (CVE-2026-25148) Qwik SSR vulnerability: prior to version 1.19.0, the server-side rendering path serializes virtual attributes in a way that can be exploited via XSS. An attacker could inject arbitrary scripts into server-rendered pages through unescaped virtual attributes, enabling scrip...
CVE-2026-25148 Qwik SSR XSS via Unsafe Virtual Node Serialization
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successfu...
EUVD-2026-5166
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successfu...
PT-2026-6277
Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.12.0 Description Qwik is a javascript framework. A regular expression typo within the isContentType function causes incorrect parsing of certain Content-Type headers. Recommendations Update to version 1.12.0 or later...
Qwik 安全漏洞
Qwik is a micro-web framework developed by Qwik Dev. Versions of Qwik prior to 1.19.0 contained security vulnerabilities. These vulnerabilities stemmed from a prototype pollution vulnerability in the formToObj function, which could allow unauthenticated attackers to contaminate Object.prototype,...
Qwik 跨站脚本漏洞
Qwik is a micro-web framework developed by Qwik Dev. Versions of Qwik prior to 1.19.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from server-side rendering of virtual property serialization, which allowed remote attackers to inject arbitrary web scripts...