Advisories for Npm/@Builder.io/Qwik package

2026

Qwik vulnerable to Unauthenticated RCE via server$ Deserialization

qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime.

2024

Qwik has a potential mXSS vulnerability due to improper HTML escaping

A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0.

2023

Improper Control of Generation of Code ('Code Injection')

Code Injection in GitHub repository builderio/qwik prior to 0.21.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.