{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-27T02:03:18.035","vulnerabilities":[{"cve":{"id":"CVE-2026-25148","sourceIdentifier":"security-advisories@github.com","published":"2026-02-03T22:16:30.370","lastModified":"2026-06-17T10:24:11.530","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0."},{"lang":"es","value":"Qwik es un framework de javascript enfocado en el rendimiento. Antes de la versión 1.19.0, una vulnerabilidad de cross-site scripting en la serialización de atributos virtuales de renderizado del lado del servidor de Qwik.js permite a un atacante remoto inyectar scripts web arbitrarios en páginas renderizadas por el servidor a través de atributos virtuales. La explotación exitosa permite la ejecución de scripts en el navegador de una víctima en el contexto del origen afectado. Este problema ha sido parcheado en la versión 1.19.0."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"QwikDev","product":"qwik","versions":[{"version":"< 1.19.0","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-04T16:58:25.313003Z","id":"CVE-2026-25148","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:qwik:qwik:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.19.0","matchCriteriaId":"8A329D09-A8EB-4297-8BD9-4E862179FE54"}]}]}],"references":[{"url":"https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}