CVE-2026-25148: Qwik SSR XSS via Unsafe Virtual Node Serialization

February 3, 2026

Description A Cross-site Scripting (CWE-79) vulnerability in Qwik.js’ server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim’s browser in the context of the affected origin. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.

References

github.com/QwikDev/qwik
github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094
github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c
github.com/advisories/GHSA-m6jq-g7gq-5w3c
nvd.nist.gov/vuln/detail/CVE-2026-25148

Code Behaviors & Features

Detect and mitigate CVE-2026-25148 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →