171 matches found
GHSA-XQG6-98CW-GXHQ Prototype Pollution via FormData Processing in Qwik City
Summary A Prototype Pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails to sanitize dangerous property names like proto, constructor, and...
qwik-lottie (>=0.0.5 <=0.0.6), storybook-framework-qwik (>=0.0.1 <=0.0.4) potentially affected by CVE-2026-25148 via @builder.io/qwik-city (>=0.0.112 <=0.0.128)
@builder.io/qwik-city NPM version =0.0.112, =0.0.5, =0.0.1, =0.0.4 Source cves: CVE-2026-25148 Source advisory: OSV:GHSA-M6JQ-G7GQ-5W3C...
GHSA-M6JQ-G7GQ-5W3C Qwik SSR XSS via Unsafe Virtual Node Serialization
Summary Description A Cross-site Scripting CWE-79 vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a...
Qwik SSR XSS via Unsafe Virtual Node Serialization
Summary Description A Cross-site Scripting CWE-79 vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a...
Qwik 跨站请求伪造漏洞
Qwik is a micro-web framework developed by Qwik Dev. Versions of Qwik prior to 1.12.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from spelling errors in regular expressions, resulting in incorrect parsing of certain Content-Type headers...
PT-2026-6447
Summary Description A Cross-site Scripting CWE-79 vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a...
PT-2026-6274
Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.0 Description An Open Redirect issue exists in Qwik City’s default request handler middleware. This allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation could allow...
PT-2026-6399
Summary Description An Open Redirect CWE-601 vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from t...
PT-2026-6276
Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.0 Description Qwik City’s server-side request handler inconsistently interprets HTTP request headers. This can be exploited by a remote attacker to bypass Cross-Site Request Forgery CSRF protections on forms using...
Qwik 输入验证错误漏洞
Qwik is a micro-web framework developed by Qwik Dev. Versions of Qwik prior to 1.19.0 contained a vulnerability related to input validation errors. This vulnerability stemmed from an open redirection vulnerability in the default request handler middleware, which could allow a remote attacker to...
Qwik 跨站请求伪造漏洞
Qwik is a micro-web framework developed by Qwik Dev. Versions of Qwik prior to 1.19.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from inconsistent interpretation of HTTP request headers by the server-side request processing logic, allowing remote attackers t...
PT-2026-6277
Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.12.0 Description Qwik is a javascript framework. A regular expression typo within the isContentType function causes incorrect parsing of certain Content-Type headers. Recommendations Update to version 1.12.0 or later...
Qwik 跨站脚本漏洞
Qwik is a micro-web framework developed by Qwik Dev. Versions of Qwik prior to 1.19.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from server-side rendering of virtual property serialization, which allowed remote attackers to inject arbitrary web scripts...
PT-2026-6499
Summary A Prototype Pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails to sanitize dangerous property names like proto , constructor, and...
Qwik 安全漏洞
Qwik is a micro-web framework developed by Qwik Dev. Versions of Qwik prior to 1.19.0 contained security vulnerabilities. These vulnerabilities stemmed from a prototype pollution vulnerability in the formToObj function, which could allow unauthenticated attackers to contaminate Object.prototype,...
PT-2026-6275
Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.0 Description Qwik is a performance focused javascript framework. A prototype pollution issue exists in the formToObj function within the @builder.io/qwik-city middleware. The function processes form field names usi...
CVE-2024-41677
Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes...
EUVD-2004-1288
Malware in sbrugna...
EUVD-2025-20869
Malicious code in bioql PyPI...
EUVD-2023-1261
Malicious code in bioql PyPI...