MAL-2026-5493 Malicious code in @builder.io/dev-tools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 670a0957692786d7cd690da1c51472380e131ceb1149cf37e265a8549ad5339b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

qwik-lottie (>=0.0.5 <=0.0.6), storybook-framework-qwik (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-32701 via @builder.io/qwik-city (>=0.0.112 <=0.0.128)

@builder.io/qwik-city NPM version =0.0.112, =0.0.5, =0.0.1, =0.0.4 Source cves: CVE-2026-32701 Source advisory: OSV:GHSA-WHHV-GG5V-864R...

Cross-site Scripting (XSS)

Overview @builder.io/qwik is an An Open-Source sub-framework designed with a focus on server-side-rendering, lazy-loading, and styling/animation. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the unsafe virtual node serialization. An attacker can execute arbitra...

PT-2025-28958 · Builder.Io · @Builder.Io/Qwik-City

Name of the Vulnerable Software and Affected Versions: @builder.io/qwik-city versions prior to 1.13.0 Description: The @builder.io/qwik-city meta-framework for Qwik is susceptible to an issue where improper handling of invalid qfunc during the execution of a Qwik Server Action QRL can lead to a...

Cross-Site Scripting

@builder.io/qwik is vulnerable to Cross-Site Scripting. The vulnerability is due to improper escaping of HTML on server-side rendering, which converts strings according to the rules in the render-ssr.ts...

@adaliszk/qwik (>=1.5.1 <=1.5.5), @aid-on/qwiks (>=0.1.2 <=0.1.4) +34 more potentially affected by CVE-2024-41677 via @builder.io/qwik (>=0.15.2 <=1.4.5)

@builder.io/qwik NPM version =0.15.2, =1.5.1, =0.1.2, =0.0.1-beta.1, =0.0.1, =0.0.1-rc.0, =0.0.1-rc.0, =0.0.1-rc.0, =0.0.1, =0.0.1, =0.0.2-rc.0, =1.0.3, =1.0.7 - @melons/qwik-new-1 =0.0.1 and more Source cves: CVE-2024-41677 Source advisory: OSV:GHSA-2RWJ-7XQ8-4GX4...

CVE-2024-41677

Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes...

CVE-2024-41677 Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik

Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes...

@builder.io/qwik-city Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery CSRF in GitHub repository builderio/qwik prior to 0.104.0...

cypress-ct-jordan-qwik (>=0.0.0-alpha-9 <=0.0.0-alpha-12), storybook-framework-qwik (=0.0.1) potentially affected by CVE-2023-1283 via @builder.io/qwik (>=0.15.2 <=0.18.1)

@builder.io/qwik NPM version =0.15.2, =0.0.0-alpha-9, =0.0.0-alpha-12 - storybook-framework-qwik =0.0.1 Source cves: CVE-2023-1283 Source advisory: OSV:GHSA-9WF9-QVVP-2929...

Cross-Site Scripting (XSS)

@builder.io/qwik is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to improper sanitization of user inputs in render-ssr.ts, which allows an attacker to inject and execute arbitrary JavaScript...

@builder.io/qwik vulnerable to Cross-site Scripting

@builder.io/qwik prior to version 0.16.2 is vulnerable to cross-site scripting due to attribute names and the class attribute values not being properly handled...

PT-2023-16248

Name of the Vulnerable Software and Affected Versions @builder.io/qwik versions prior to 0.16.2 @builder.io/qwik versions prior to 0.1.0-beta5 Description The issue is related to Cross-site Scripting XSS due to improper handling of attribute names and the class attribute values. Recommendations F...