PT-2026-6276 · Qwik · Qwik

·

CVE-2026-25151

·

Published

2026-02-03

·

Updated

2026-02-04

CVSS v3.1

5.9

Medium

VectorAV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Name of the Vulnerable Software and Affected Versions Qwik versions prior to 1.19.0
Description Qwik City’s server-side request handler inconsistently interprets HTTP request headers. This can be exploited by a remote attacker to bypass Cross-Site Request Forgery (CSRF) protections on forms using specifically crafted or multi-valued Content-Type headers. The Content-Type header is involved in this issue.
Recommendations Update to version 1.19.0 or later.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-25151
GHSA-R666-8GJF-4V5F

Affected Products

Qwik