CVE-2026-25150

Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.0

Description Qwik is a performance focused javascript framework. A prototype pollution issue exists in the formToObj() function within the @builder.io/qwik-city middleware. The function processes form field names using dot notation, but does not sanitize dangerous property names like proto, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service.

Recommendations Update to version 1.19.0 or later.