Deserialization in Qwikdev Qwik

CVE-2026-27971

Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server…

Vulnerability class: Insecure Deserialization

EPSS: 0.262 (96.4th percentile) — read the EPSS interpretation.

Affected products

Qwikdev Qwik — versions < 1.19.1

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm (x_refsource_CONFIRM)