Home / Vulnerability Intelligence / CVE-2026-27971

CVE-2026-27971 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 5, 2026

Qwik - Remote Code Execution

Published: March 3, 2026Updated: March 5, 2026Remote Exploitable

Overview

Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 6.2%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary code on the server, leading to full system compromise.

Mitigation

Update to version 1.19.1 or later.

References

https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 4, 2026

⚠️ CVE-2026-27971: QwikDev qwik <1.19.1 has a CRITICAL RCE flaw via unsafe deserialization in server-side RPC. No auth needed — patch to 1.19.1+ now! Exploits are trivial if require() is exposed. https://radar.offseq.com/threat/cve-2026-27971-cwe-502-deserialization-of-untruste-b59de789 #OffSeq #CVE202627971 #RCE #JavaScript #InfoSec

View original post

Related Resources

Details

CVE ID: CVE-2026-27971
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: confirmed
EPSS: 6.2%
Social Posts: 1

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

6.2%Probability of exploitation in the next 30 days