62 matches found
Access of Resource Using Incompatible Type ('Type Confusion')
Overview @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' in the FormData function when handling application/x-www-form-urlencoded or multipart/form-data requests. An attacker ca...
qwik-lottie (>=0.0.5 <=0.0.6), storybook-framework-qwik (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-32701 via @builder.io/qwik-city (>=0.0.112 <=0.0.128)
@builder.io/qwik-city NPM version =0.0.112, =0.0.5, =0.0.1, =0.0.4 Source cves: CVE-2026-32701 Source advisory: OSV:GHSA-WHHV-GG5V-864R...
GHSA-WHHV-GG5V-864R Qwik City has array method pollution in FormData processing allows type confusion and DoS
Summary Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays...
CVE-2026-25149
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convinci...
CVE-2026-25151
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued...
CVE-2026-25150
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...
CVE-2026-25150
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...
CVE-2026-25151
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued...
CVE-2026-25149
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convinci...
Open Redirect
Overview @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Open Redirect via the fixTrailingSlash middleware. An attacker can redirect users to arbitrary protocol-relative URLs by crafting malicious links that appear to originate from a...
Cross-site Request Forgery (CSRF)
Overview @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via inconsistent interpretation of HTTP request headers in the server-side request handler. An attacker can bypass protections by submitting special...
Cross-site Request Forgery (CSRF)
Overview @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to a typo in the regular expression within the isContentType function. An attacker can bypass cross-site request forgery protections by crafting...
Prototype Pollution
Overview @builder.io/qwik-city is a The meta-framework for Qwik. Affected versions of this package are vulnerable to Prototype Pollution via the formToObj function, which processes form field names with dot notation but does not properly sanitize dangerous property names. An attacker can modify t...
CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...
CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...
CVE-2026-25150
CVE-2026-25150 affects @builder.io/qwik-city middleware in Qwik. The formToObj() function improperly handles field names with dot notation (e.g., user.name), failing to sanitize dangerous property names such as proto , constructor, and prototype. This prototype pollution allows unauthenticated at...
EUVD-2026-5165
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...
CVE-2026-25150
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...
CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...
CVE-2026-25151
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued...