CVE-2026-27971

EPSS 26.2%

Qwik vulnerable to Unauthenticated RCE via server$ Deserialization

Published: 3/2/2026Modified: 3/4/2026

Description

### Summary qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the `server$` RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where `require()` is available at runtime. ### Impact - Remote Code Execution

Affected packages (1)

npm/@builder.io/qwikfrom 0, < 1.19.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27971
PATCHhttps://github.com/QwikDev/qwik
WEBhttps://github.com/QwikDev/qwik/releases/tag/%40builder.io%2Fqwik%401.19.1
WEBhttps://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm