Vulnerability DatabaseCVE-2026-25151
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-25151
February 03, 2026
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.
Affected Packages
https://github.com/QwikDev/qwik.git (GITHUB):
Affected version(s) >=@builder.io/qwik-city@1.7.1 <@builder.io/qwik-city@1.19.0
Fix Suggestion:
Update to version @builder.io/qwik-city@1.19.0
@builder.io/qwik-city (NPM):
Affected version(s) >=0.0.1 <1.19.0
Fix Suggestion:
Update to version 1.19.0
Related Resources (4)
https://github.com/QwikDev/qwik
https://nvd.nist.gov/vuln/detail/CVE-2026-25151
https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed
https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f
Do you need more information?
Contact Us
CVSS v4
Base Score:
6
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Cross-Site Request Forgery (CSRF)
CWE-352
EPSS
Base Score:
0.01