{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25148", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T15:39:11.821Z", "datePublished": "2026-02-03T21:12:38.016Z", "dateUpdated": "2026-02-04T16:58:39.293Z"}, "containers": {"cna": {"title": "Qwik SSR XSS via Unsafe Virtual Node Serialization", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c"}, {"name": "https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094", "tags": ["x_refsource_MISC"], "url": "https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094"}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"version": "< 1.19.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:12:38.016Z"}, "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0."}], "source": {"advisory": "GHSA-m6jq-g7gq-5w3c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:58:25.313003Z", "id": "CVE-2026-25148", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:58:39.293Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25148", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:58:25.313003Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:58:34.702Z"}}], "cna": {"title": "Qwik SSR XSS via Unsafe Virtual Node Serialization", "source": {"advisory": "GHSA-m6jq-g7gq-5w3c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "QwikDev", "product": "qwik", "versions": [{"status": "affected", "version": "< 1.19.0"}]}], "references": [{"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c", "name": "https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094", "name": "https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T21:12:38.016Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25148", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:58:39.293Z", "dateReserved": "2026-01-29T15:39:11.821Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T21:12:38.016Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8A329D09-A8EB-4297-8BD9-4E862179FE54", "versionEndExcluding": "1.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0."}], "id": "CVE-2026-25148", "lastModified": "2026-02-10T20:12:16.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T22:16:30.370", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:01:24.863297+00:00", "value": {"mitigation_remediation": ["Upgrade Qwik to version 1.19.0 or later, which removes the unsafe serialization behavior.", "If an immediate upgrade is not possible, disable server\u2011side rendering for pages that handle untrusted data or avoid using untrusted virtual attributes in SSR contexts.", "Add a Content\u2011Security\u2011Policy header that restricts script sources, such as \"script-src 'self';\" to mitigate the impact of any remaining reflected scripts."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The issue affects the Qwik framework distributed by QwikDev, specifically all versions released before 1.19.0. Applications that render pages on the server using Qwik\u2019s virtual node mechanism are susceptible. The vulnerability is not tied to a specific deployment environment beyond those that enable Qwik\u2019s server\u2011side rendering capability.", "description_and_impact": "A flaw in the serialization of virtual attributes during Qwik\u2019s server\u2011side rendering allows a remote attacker to inject arbitrary script code into pages that are rendered on the server. The vulnerability is a classic example of a reflected cross\u2011site scripting flaw (CWE\u201179) that can lead to the execution of malicious scripts in a victim\u2019s browser while retaining the privileges of the affected origin. The official CVSS score of 5.3 reflects the moderate severity of the impact, which is limited to the client side and does not grant direct server\u2011side code execution.", "risk_and_exploitability": "The low EPSS score of less than 1 percent indicates that the likelihood of widespread exploitation is currently small, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, any publicly accessible Qwik application that performs server\u2011side rendering and accepts user\u2011controlled values in virtual attributes is a potential target. Exploitation would typically involve supplying malicious content that is reflected during the rendering process and then serving the resulting page to a victim\u2019s browser, where the injected script would execute in the context of the application\u2019s origin."}}}}, "created": "2026-02-04T12:05:30.907578+00:00", "updated": "2026-04-18T00:15:31.769261+00:00", "vendors": ["qwikdev", "qwikdev$PRODUCT$qwik"]}