CVE-2026-25148

Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.0

Description A Cross-Site Scripting issue exists in Qwik.js' server-side rendering virtual attribute serialization. This allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation can lead to script execution in a victim's browser within the context of the affected origin.

Recommendations Update to Qwik version 1.19.0 or later.