A flaw in the serialization of virtual attributes during Qwik’s server‑side rendering allows a remote attacker to inject arbitrary script code into pages that are rendered on the server. The vulnerability is a classic example of a reflected cross‑site scripting flaw (CWE‑79) that can lead to the execution of malicious scripts in a victim’s browser while retaining the privileges of the affected origin. The official CVSS score of 5.3 reflects the moderate severity of the impact, which is limited to the client side and does not grant direct server‑side code execution.

The issue affects the Qwik framework distributed by QwikDev, specifically all versions released before 1.19.0. Applications that render pages on the server using Qwik’s virtual node mechanism are susceptible. The vulnerability is not tied to a specific deployment environment beyond those that enable Qwik’s server‑side rendering capability.

The low EPSS score of less than 1 percent indicates that the likelihood of widespread exploitation is currently small, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, any publicly accessible Qwik application that performs server‑side rendering and accepts user‑controlled values in virtual attributes is a potential target. Exploitation would typically involve supplying malicious content that is reflected during the rendering process and then serving the resulting page to a victim’s browser, where the injected script would execute in the context of the application’s origin.