CVE-2026-25150

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25150

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25150.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25150

Aliases

GHSA-xqg6-98cw-gxhq

Published

2026-02-03T21:12:50.417Z

Modified

2026-03-01T02:57:11.741799Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L CVSS Calculator

Summary

Prototype Pollution via FormData Processing in Qwik City

Details

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like proto, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1321"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25150.json"
}

References

Affected packages

Git / github.com/qwikdev/qwik

Affected ranges

Type: GIT
Repo: https://github.com/qwikdev/qwik
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

27f942c1ed30c0c59fb50504edfff816afc2647e

Affected versions

@builder.*

@builder.io/qwik-auth@0.2.3

@builder.io/qwik-city@1.10.0

@builder.io/qwik-city@1.11.0

@builder.io/qwik-city@1.12.0

@builder.io/qwik-city@1.12.1

@builder.io/qwik-city@1.13.0

@builder.io/qwik-city@1.14.0

@builder.io/qwik-city@1.14.1

@builder.io/qwik-city@1.15.0

@builder.io/qwik-city@1.16.0

@builder.io/qwik-city@1.16.1

@builder.io/qwik-city@1.17.0

@builder.io/qwik-city@1.17.1

@builder.io/qwik-city@1.17.2

@builder.io/qwik-city@1.18.0

@builder.io/qwik-city@1.7.1

@builder.io/qwik-city@1.7.3

@builder.io/qwik-city@1.8.0

@builder.io/qwik-city@1.9.0

@builder.io/qwik-city@1.9.1

@builder.io/qwik-labs@0.0.1

@builder.io/qwik-react@0.5.7

@builder.io/qwik-react@0.5.8

@builder.io/qwik@1.10.0

@builder.io/qwik@1.11.0

@builder.io/qwik@1.12.0

@builder.io/qwik@1.12.1

@builder.io/qwik@1.13.0

@builder.io/qwik@1.14.0

@builder.io/qwik@1.14.1

@builder.io/qwik@1.15.0

@builder.io/qwik@1.16.0

@builder.io/qwik@1.16.1

@builder.io/qwik@1.17.0

@builder.io/qwik@1.17.1

@builder.io/qwik@1.17.2

@builder.io/qwik@1.18.0

@builder.io/qwik@1.7.3

@builder.io/qwik@1.8.0

@builder.io/qwik@1.9.0

@builder.io/qwik@1.9.1

@qwikdev/just-for-checking-changesets@0.*

@qwikdev/just-for-checking-changesets@0.0.2

create-qwik@1.*

create-qwik@1.10.0

create-qwik@1.11.0

create-qwik@1.12.0

create-qwik@1.12.1

create-qwik@1.13.0

create-qwik@1.14.0

create-qwik@1.14.1

create-qwik@1.15.0

create-qwik@1.16.0

create-qwik@1.16.1

create-qwik@1.17.0

create-qwik@1.17.1

create-qwik@1.17.2

create-qwik@1.18.0

create-qwik@1.7.2

create-qwik@1.7.3

create-qwik@1.8.0

create-qwik@1.9.0

create-qwik@1.9.1

eslint-plugin-qwik@1.*

eslint-plugin-qwik@1.10.0

eslint-plugin-qwik@1.11.0

eslint-plugin-qwik@1.12.0

eslint-plugin-qwik@1.12.1

eslint-plugin-qwik@1.13.0

eslint-plugin-qwik@1.14.0

eslint-plugin-qwik@1.14.1

eslint-plugin-qwik@1.15.0

eslint-plugin-qwik@1.16.0

eslint-plugin-qwik@1.17.0

eslint-plugin-qwik@1.17.1

eslint-plugin-qwik@1.17.2

eslint-plugin-qwik@1.18.0

eslint-plugin-qwik@1.7.2

eslint-plugin-qwik@1.7.3

eslint-plugin-qwik@1.8.0

eslint-plugin-qwik@1.9.0

eslint-plugin-qwik@1.9.1

insights@0.*

insights@0.1.0

qwik-docs@0.*

qwik-docs@0.0.1

qwik-monorepo@1.*

qwik-monorepo@1.7.1

qwik-monorepo@1.7.2

v0.*

v0.0.100

v0.0.101

v0.0.102

v0.0.103

v0.0.104

v0.0.105

v0.0.106

v0.0.107

v0.0.108

v0.0.109

v0.0.11

v0.0.110

v0.0.112

v0.0.113

v0.0.12-0

v0.0.12-pre.1

v0.0.13

v0.0.14

v0.0.14-0

v0.0.14-2

v0.0.14-4

v0.0.15

v0.0.16

v0.0.16-0

v0.0.16-1

v0.0.16-10

v0.0.16-12

v0.0.16-13

v0.0.16-2

v0.0.16-4

v0.0.16-5

v0.0.16-6

v0.0.16-7

v0.0.16-8

v0.0.16-9

v0.0.18

v0.0.18-0

v0.0.18-1

v0.0.18-2

v0.0.18-3

v0.0.18-4

v0.0.18-5

v0.0.18-6

v0.0.18-7

v0.0.19

v0.0.19-0

v0.0.19-1

v0.0.19-2

v0.0.20

v0.0.20-0

v0.0.20-1

v0.0.20-2

v0.0.20-3

v0.0.20-4

v0.0.20-5

v0.0.20-7

v0.0.20-8

v0.0.21

v0.0.21-0

v0.0.22

v0.0.23

v0.0.24

v0.0.25

v0.0.26

v0.0.27

v0.0.28

v0.0.29

v0.0.30

v0.0.31

v0.0.32

v0.0.33

v0.0.34

v0.0.35

v0.0.36

v0.0.37

v0.0.38

v0.0.39

v0.0.40

v0.0.41

v0.0.42

v0.10.0

v0.100.0

v0.101.0

v0.102.0

v0.103.0

v0.104.0

v0.105.0

v0.106.0

v0.107.0

v0.11.0

v0.11.1

v0.12.0

v0.12.1

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.15.2

v0.16.0

v0.16.1

v0.16.2

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.17.5

v0.18.0

v0.18.1

v0.19.0

v0.19.1

v0.19.2

v0.20.0

v0.20.1

v0.21.0

v0.22.0

v0.22.1

v0.23.0

v0.24.0

v0.25.0

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.2.0

v1.2.1

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.2.18

v1.2.19

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.6.0

v1.7.0

v1.7.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25150.json"