CVE-2026-25150

EPSS 0.05%
Veröffentlicht 03.02.2026 21:12:50
Zuletzt bearbeitet 10.02.2026 20:10:16
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Qwik ≫ Qwik SwPlatformnode.js Version < 1.19.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.154

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	9.3	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:L

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq

Vendor Advisory

https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-25150

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25150

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25150

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25150