CVE-2026-27971: Qwik vulnerable to Unauthenticated RCE via server$ Deserialization

March 2, 2026 (updated March 4, 2026)

qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime.

References

github.com/QwikDev/qwik
github.com/QwikDev/qwik/releases/tag/%40builder.io%2Fqwik%401.19.1
github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm
github.com/advisories/GHSA-p9x5-jp3h-96mm
nvd.nist.gov/vuln/detail/CVE-2026-27971

Code Behaviors & Features

Detect and mitigate CVE-2026-27971 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →