CVE-2026-27971

CRITICAL EXPLOITED NUCLEI

Qwik <=1.19.0 - Deserialization RCE

Title source: llm

Description

Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.

Nuclei Templates (1)

Qwik - Unauthenticated RCE via server$ Deserialization

CRITICALVERIFIEDby omarkurt

Shodan: http.html:"q:version"

FOFA: body="q:version"

References (1)

[Vendor Advisory] https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm

Scores

CVSS v3 9.8

EPSS 0.2998

EPSS Percentile 96.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2026-04-01

CWE

CWE-502

Status published

Products (2)

builder.io/qwik 0 - 1.19.1npm

qwik/qwik < 1.19.1

Published Mar 03, 2026

Tracked Since Mar 04, 2026