CVE-2026-27971
Received Received - Intake
Remote Code Execution in Qwik ≀1.19.0 via Unsafe Deserialization

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27971
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qwik qwik to 1.19.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Qwik JavaScript framework versions up to 1.19.0. It is an unsafe deserialization flaw in the server RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server by sending a single HTTP request.

The issue arises when the server uses require() at runtime, enabling remote code execution (RCE). This means an attacker can run malicious code on the server without needing any authentication.

The vulnerability is fixed in version 1.19.1 of Qwik.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary code on the server without authentication.

  • Compromise of server integrity and control.
  • Potential data theft or data manipulation.
  • Disruption of services or denial of service.
  • Use of the compromised server as a pivot point for further attacks.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability in Qwik versions up to 1.19.0 allows unauthenticated remote code execution via unsafe deserialization in the server RPC mechanism.

To mitigate this vulnerability immediately, upgrade Qwik to version 1.19.1 or later where the issue is fixed.

Additionally, ensure that deployments do not expose require() at runtime if possible, as this increases the attack surface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27971. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart