Open Redirect in Qwikdev Qwik

CVE-2026-25149

Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. S…

Vulnerability class: Open Redirect

EPSS: 0.000 (3.6th percentile) — read the EPSS interpretation.

Affected products

Qwikdev Qwik — versions < 1.19.0

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m (x_refsource_CONFIRM)
https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed (x_refsource_MISC)