@builder.io/qwik-city (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @builder.io/qwik-city, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2026-25150 — CVSS 9.3 (critical): Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj()…
CVE-2025-53620: @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the…
CVE-2026-32701 — CVSS 7.5 (high): Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during…
CVE-2026-25149 — CVSS 6.1 (medium): Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request…
CVE-2026-25148 — CVSS 6.1 (medium): Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side…
CVE-2026-25151 — CVSS 5.9 (medium): Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently…
CVE-2026-25155 — CVSS 5.9 (medium): Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes…