CSRF Bypass Vulnerability in Qwik City Server-Side Request Handling
CVE-2026-25151

5.9MEDIUM

Key Information:

Vendor: Qwikdev
Status: Qwik
Vendor: CVE Published:; 3 February 2026

What is CVE-2026-25151?

Qwik City, a performance-centric JavaScript framework, exhibits a weakness in its server-side request handler. This flaw occurs due to inconsistent interpretation of HTTP request headers prior to version 1.19.0. A remote attacker can exploit this vulnerability by crafting specific or multi-valued Content-Type headers, enabling them to bypass Cross-Site Request Forgery (CSRF) protections during form submissions. Users are advised to update to version 1.19.0 to mitigate this security risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

qwik < 1.19.0

References

https://github.com/QwikDev/qwik/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 29, 2026

JSON

Qwikdev