CVE-2026-25151

MEDIUM EPSS 5.5%
Published Feb 3, 20264mo ago · Modified Jun 17, 20261w ago
5.9 CVSS 3.1
Medium
Find Similar
Published Feb 3, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.

CVSS Details

Base Score
5.9
Exploitability
1.6
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
5.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

VendorProductVersionRange
qwikqwik* <1.19.0

References 2

  • github.com https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed
    Patch
  • github.com https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f
    Vendor Advisory

Remediation

  • github.com https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed
    Patch