Description
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0.
Published: 2026-02-03
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Patch
AI Analysis

Impact

A remote attacker can redirect users to arbitrary protocol‑relative URLs by exploiting an open redirect flaw in the default request handler middleware of Qwik City, a performance‑focused JavaScript framework. Prior to version 1.19.0 this vulnerability allows attackers to craft convincing phishing links that appear to originate from a trusted domain yet lead victims to attacker‑controlled sites. The weakness, identified as CWE‑601, originates from the middleware’s handling of trailing‑slash logic without validating the redirect target.

Affected Systems

Affected systems include QwikDev’s Qwik framework deployed in any environment before version 1.19.0, running on supported runtimes such as Node.js. Users who have not upgraded to or beyond the patched release are potentially exposed through the framework’s default request handler.

Risk and Exploitability

The CVSS score of 2.7 classifies the issue as low severity, and the EPSS score of < 1 % indicates a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to embed a crafted URL in content served by the vulnerable application; the request handler processes the trailing‑slash logic without validating the target, thereby enabling the redirect.

Generated by OpenCVE AI on April 18, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Qwik to version 1.19.0 or later.
  • Apply proper redirect validation or restrict redirect targets to a whitelist of trusted domains.
  • If upgrading is not immediately feasible, disable the vulnerable default request handler or replace it with a secure implementation.

Generated by OpenCVE AI on April 18, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-92j7-wgmg-f32m Qwik City Open Redirect via fixTrailingSlash
History

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Qwik
Qwik qwik
CPEs cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*
Vendors & Products Qwik
Qwik qwik
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Qwikdev
Qwikdev qwik
Vendors & Products Qwikdev
Qwikdev qwik

Tue, 03 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0.
Title Qwik City Open Redirect via fixTrailingSlash
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U'}

Subscriptions

Qwik Qwik
Qwikdev Qwik
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T19:59:30.294Z

Reserved: 2026-01-29T15:39:11.821Z

Link: CVE-2026-25149

cve-icon Vulnrichment

Updated: 2026-02-04T19:59:26.654Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T22:16:30.523

Modified: 2026-02-10T20:11:36.010

Link: CVE-2026-25149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses