Primary

Context

Qwik Remote Code Execution Vulnerability in server$ RPC Mechanism

Vulnerability

Patched

A remote code execution vulnerability exists in Qwik versions through 1.19.0. This issue arises from an unsafe deserialization in the server$ RPC mechanism, allowing any unauthenticated user to execute arbitrary code on the server with a single HTTP request. The vulnerability affects deployments where require() is available at runtime.

Impact

Exploitation of this vulnerability allows for remote code execution on the server.

Remediation

Users can upgrade to Qwik version 1.19.1 to address this vulnerability.

Added: Mar 3, 2026, 11:19 PM

Updated: Mar 3, 2026, 11:19 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

10.0

exploitability

3.7

remediation

7.7

relevance

3.4

threat

0.5

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

10.0

exploitability

3.7

remediation

7.7

relevance

3.4

threat

0.5

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Qwik Remote Code Execution Vulnerability in server$ RPC Mechanism

Vulnerability

Impact

Remediation

Affected Products

@builder.io/qwik

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating