PT-2026-6276 · Qwik · Qwik
Kageshiron
·
Published
2026-02-03
·
Updated
2026-02-04
·
CVE-2026-25151
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Qwik versions prior to 1.19.0
Description
Qwik City’s server-side request handler inconsistently interprets HTTP request headers. This can be exploited by a remote attacker to bypass Cross-Site Request Forgery (CSRF) protections on forms using specifically crafted or multi-valued Content-Type headers. The
Content-Type header is involved in this issue.Recommendations
Update to version 1.19.0 or later.
Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Qwik