CVE-2026-27971
Qwik affected by unauthenticated RCE via server$ Deserialization
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
| CWE | CWE-502 |
| Vendor | qwikdev |
| Product | qwik |
| Published | Mar 3, 2026 |
| Last Updated | Mar 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for qwikdev qwik
Be the first to know when new unknown vulnerabilities affecting qwikdev qwik are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
QwikDev / qwik
< 1.19.1