Critical severityNVD Advisory· Published Mar 3, 2026· Updated Mar 4, 2026
Qwik affected by unauthenticated RCE via server$ Deserialization
CVE-2026-27971
Description
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@builder.io/qwiknpm | < 1.19.1 | 1.19.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p9x5-jp3h-96mmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27971ghsaADVISORY
- github.com/QwikDev/qwik/releases/tag/%40builder.io%2Fqwik%401.19.1ghsaWEB
- github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.