@builder.io/qwik-city

npm7 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting @builder.io/qwik-citypage 1 of 1

CVE-2023-2307MEDIUMCVSS 4.7EG 4.7✓ Fixed in 0.104.0
2023-04-26
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
CVE-2025-53620CRITICALCVSS 9.2EG 0.0✓ Fixed in 1.13.0
2025-07-09
@builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then …
CVE-2026-25148MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.19.0
2026-02-03
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts in…
CVE-2026-25149MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.19.0
2026-02-03
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. S…
CVE-2026-25150CRITICALCVSS 9.3EG 9.3✓ Fixed in 1.19.0
2026-02-03
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot n…
CVE-2026-25151MEDIUMCVSS 5.9EG 5.9✓ Fixed in 1.19.0
2026-02-03
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission C…
CVE-2026-25155MEDIUMCVSS 5.9EG 5.9✓ Fixed in 1.12.0
2026-02-03
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.

Check whether @builder.io/qwik-city is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @builder.io/qwik-city CVEs against the assets you own.

Start Free Scan →