Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.2
Qwik Allows Unauthenticated Remote Code Execution through Server Deserialization
Exploitation likelihood: 13%
CVE-2026-27971
GHSA-p9x5-jp3h-96mm
Summary
An unauthenticated attacker can execute arbitrary code on a Qwik server by sending a malicious request. This affects Qwik versions 1.19.0 or earlier, and it's essential to update to a secure version. Update Qwik to a version 1.19.0 or later to fix the issue.
What to do
- Update builder.io qwik to version 1.19.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| builder.io | qwik | <= 1.19.0 | 1.19.1 |
| qwik | qwik | <= 1.19.1 | – |
Original title
Qwik vulnerable to Unauthenticated RCE via server$ Deserialization
Original description
### Summary
qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the `server$` RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where `require()` is available at runtime.
### Impact
- Remote Code Execution
qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the `server$` RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where `require()` is available at runtime.
### Impact
- Remote Code Execution
nvd CVSS3.1
9.8
nvd CVSS4.0
9.2
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026