npm package
@builder.io/qwik-city
pkg:npm/%40builder.io/qwik-city
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32701 | — | < 1.19.2 | 1.19.2 | Mar 20, 2026 | Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled proper | ||
| CVE-2026-25150 | — | < 1.19.0 | 1.19.0 | Feb 3, 2026 | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create neste | ||
| CVE-2026-25148 | — | < 1.19.0 | 1.19.0 | Feb 3, 2026 | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attr | ||
| CVE-2026-25151 | — | < 1.19.0 | 1.19.0 | Feb 3, 2026 | Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or | ||
| CVE-2026-25155 | — | < 1.12.0 | 1.12.0 | Feb 3, 2026 | Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0. | ||
| CVE-2026-25149 | — | < 1.19.0 | 1.19.0 | Feb 3, 2026 | Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers | ||
| CVE-2025-53620 | Cri | — | < 1.13.0 | 1.13.0 | Jul 9, 2025 | @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerabilit | |
| CVE-2023-2307 | — | < 0.104.0 | 0.104.0 | Apr 26, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0. |
- CVE-2026-32701Mar 20, 2026affected < 1.19.2fixed 1.19.2
Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled proper
- CVE-2026-25150Feb 3, 2026affected < 1.19.0fixed 1.19.0
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create neste
- CVE-2026-25148Feb 3, 2026affected < 1.19.0fixed 1.19.0
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attr
- CVE-2026-25151Feb 3, 2026affected < 1.19.0fixed 1.19.0
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or
- CVE-2026-25155Feb 3, 2026affected < 1.12.0fixed 1.12.0
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
- CVE-2026-25149Feb 3, 2026affected < 1.19.0fixed 1.19.0
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers
- affected < 1.13.0fixed 1.13.0
@builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerabilit
- CVE-2023-2307Apr 26, 2023affected < 0.104.0fixed 0.104.0
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.