CVE-2026-25148

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25148

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25148.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25148

Aliases

GHSA-m6jq-g7gq-5w3c

Published

2026-02-03T21:12:38.016Z

Modified

2026-03-01T02:57:11.392959Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Qwik SSR XSS via Unsafe Virtual Node Serialization

Details

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25148.json"
}

References

Affected packages

Git / github.com/qwikdev/qwik

Affected ranges

Type: GIT
Repo: https://github.com/qwikdev/qwik
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

27f942c1ed30c0c59fb50504edfff816afc2647e

Affected versions

@builder.*

@builder.io/qwik-auth@0.2.3

@builder.io/qwik-city@1.10.0

@builder.io/qwik-city@1.11.0

@builder.io/qwik-city@1.12.0

@builder.io/qwik-city@1.12.1

@builder.io/qwik-city@1.13.0

@builder.io/qwik-city@1.14.0

@builder.io/qwik-city@1.14.1

@builder.io/qwik-city@1.15.0

@builder.io/qwik-city@1.16.0

@builder.io/qwik-city@1.16.1

@builder.io/qwik-city@1.17.0

@builder.io/qwik-city@1.17.1

@builder.io/qwik-city@1.17.2

@builder.io/qwik-city@1.18.0

@builder.io/qwik-city@1.7.1

@builder.io/qwik-city@1.7.3

@builder.io/qwik-city@1.8.0

@builder.io/qwik-city@1.9.0

@builder.io/qwik-city@1.9.1

@builder.io/qwik-labs@0.0.1

@builder.io/qwik-react@0.5.7

@builder.io/qwik-react@0.5.8

@builder.io/qwik@1.10.0

@builder.io/qwik@1.11.0

@builder.io/qwik@1.12.0

@builder.io/qwik@1.12.1

@builder.io/qwik@1.13.0

@builder.io/qwik@1.14.0

@builder.io/qwik@1.14.1

@builder.io/qwik@1.15.0

@builder.io/qwik@1.16.0

@builder.io/qwik@1.16.1

@builder.io/qwik@1.17.0

@builder.io/qwik@1.17.1

@builder.io/qwik@1.17.2

@builder.io/qwik@1.18.0

@builder.io/qwik@1.7.3

@builder.io/qwik@1.8.0

@builder.io/qwik@1.9.0

@builder.io/qwik@1.9.1

@qwikdev/just-for-checking-changesets@0.*

@qwikdev/just-for-checking-changesets@0.0.2

create-qwik@1.*

create-qwik@1.10.0

create-qwik@1.11.0

create-qwik@1.12.0

create-qwik@1.12.1

create-qwik@1.13.0

create-qwik@1.14.0

create-qwik@1.14.1

create-qwik@1.15.0

create-qwik@1.16.0

create-qwik@1.16.1

create-qwik@1.17.0

create-qwik@1.17.1

create-qwik@1.17.2

create-qwik@1.18.0

create-qwik@1.7.2

create-qwik@1.7.3

create-qwik@1.8.0

create-qwik@1.9.0

create-qwik@1.9.1

eslint-plugin-qwik@1.*

eslint-plugin-qwik@1.10.0

eslint-plugin-qwik@1.11.0

eslint-plugin-qwik@1.12.0

eslint-plugin-qwik@1.12.1

eslint-plugin-qwik@1.13.0

eslint-plugin-qwik@1.14.0

eslint-plugin-qwik@1.14.1

eslint-plugin-qwik@1.15.0

eslint-plugin-qwik@1.16.0

eslint-plugin-qwik@1.17.0

eslint-plugin-qwik@1.17.1

eslint-plugin-qwik@1.17.2

eslint-plugin-qwik@1.18.0

eslint-plugin-qwik@1.7.2

eslint-plugin-qwik@1.7.3

eslint-plugin-qwik@1.8.0

eslint-plugin-qwik@1.9.0

eslint-plugin-qwik@1.9.1

insights@0.*

insights@0.1.0

qwik-docs@0.*

qwik-docs@0.0.1

qwik-monorepo@1.*

qwik-monorepo@1.7.1

qwik-monorepo@1.7.2

v0.*

v0.0.100

v0.0.101

v0.0.102

v0.0.103

v0.0.104

v0.0.105

v0.0.106

v0.0.107

v0.0.108

v0.0.109

v0.0.11

v0.0.110

v0.0.112

v0.0.113

v0.0.12-0

v0.0.12-pre.1

v0.0.13

v0.0.14

v0.0.14-0

v0.0.14-2

v0.0.14-4

v0.0.15

v0.0.16

v0.0.16-0

v0.0.16-1

v0.0.16-10

v0.0.16-12

v0.0.16-13

v0.0.16-2

v0.0.16-4

v0.0.16-5

v0.0.16-6

v0.0.16-7

v0.0.16-8

v0.0.16-9

v0.0.18

v0.0.18-0

v0.0.18-1

v0.0.18-2

v0.0.18-3

v0.0.18-4

v0.0.18-5

v0.0.18-6

v0.0.18-7

v0.0.19

v0.0.19-0

v0.0.19-1

v0.0.19-2

v0.0.20

v0.0.20-0

v0.0.20-1

v0.0.20-2

v0.0.20-3

v0.0.20-4

v0.0.20-5

v0.0.20-7

v0.0.20-8

v0.0.21

v0.0.21-0

v0.0.22

v0.0.23

v0.0.24

v0.0.25

v0.0.26

v0.0.27

v0.0.28

v0.0.29

v0.0.30

v0.0.31

v0.0.32

v0.0.33

v0.0.34

v0.0.35

v0.0.36

v0.0.37

v0.0.38

v0.0.39

v0.0.40

v0.0.41

v0.0.42

v0.10.0

v0.100.0

v0.101.0

v0.102.0

v0.103.0

v0.104.0

v0.105.0

v0.106.0

v0.107.0

v0.11.0

v0.11.1

v0.12.0

v0.12.1

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.15.2

v0.16.0

v0.16.1

v0.16.2

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.17.5

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.20.0

v0.20.1

v0.21.0

v0.22.0

v0.22.1

v0.23.0

v0.24.0

v0.25.0

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.2.0

v1.2.1

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.2.18

v1.2.19

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.6.0

v1.7.0

v1.7.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25148.json"