VYPR
Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 4, 2026

Qwik City has a CSRF Protection Bypass via Content-Type Header Validation

CVE-2026-25151

Description

Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@builder.io/qwik-citynpm
< 1.19.01.19.0

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.