CVE-2026-27971: Unauthenticated Remote Code Execution in Qwik Framework RPC
Vulnerability ID: CVE-2026-27971
CVSS Score: 9.8
Published: 2026-03-03
CVE-2026-27971 is a critical unauthenticated Remote Code Execution (RCE) vulnerability in the Qwik JavaScript framework. The flaw arises from insecure deserialization within the framework's RPC mechanism, allowing attackers to execute arbitrary server-side code by crafting malicious Qwik Reference Locators (QRLs).
TL;DR
Insecure deserialization in Qwik <= 1.19.0 allows unauthenticated attackers to execute arbitrary code via malicious RPC payloads that force the server to load arbitrary local modules.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-502
- CVSS v3.1 Score: 9.8 Critical
- Attack Vector: Network
- Exploit Status: Proof-of-Concept Available
- EPSS Score: 0.13434 (94.07th Percentile)
- CISA KEV: Not Listed
Affected Systems
- Qwik Web Framework
- Node.js server environments running Qwik applications
-
Qwik: <= 1.19.0 (Fixed in:
1.19.1)
Exploit Details
- sebsrt.xyz: Full Proof-of-Concept writeup and payload breakdown
Mitigation Strategies
- Upgrade Qwik framework to version 1.19.1 or higher.
- Implement WAF rules to block POST requests containing
Content-Type: application/qwik-jsonon non-RPC routes. - Harden the Node.js runtime environment by running the process with least privileges.
- Remove unnecessary development dependencies (e.g.,
cross-spawn) from the production node_modules directory.
Remediation Steps:
- Identify all deployments utilizing the Qwik framework.
- Update the
package.jsonfile to specify@builder.io/qwikversion1.19.1or later. - Rebuild the application to generate a new secure server manifest.
- Deploy the updated application to production environments.
- Run vulnerability scanners or the provided Nuclei template to confirm the fix is effective.
References
- GitHub Security Advisory: GHSA-p9x5-jp3h-96mm
- Qwik Release v1.19.1
- Technical Writeup by Sebastiano Sartor
- SentinelOne Vulnerability Database: CVE-2026-27971
- Nuclei Detection Template
Read the full report for CVE-2026-27971 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)