CVE-2026-27971

Name of the Vulnerable Software and Affected Versions Qwik versions up to and including 1.19.0

Description Qwik is susceptible to Remote Code Execution (RCE) due to an unsafe deserialization issue within the server$ RPC mechanism. This allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. The issue affects deployments where the require() function is available at runtime. Approximately 46,000 services utilizing Qwik have been identified. The server$ RPC mechanism is the component directly involved in this issue.

Recommendations Update to Qwik version 1.19.1 or later.