CVE-2026-32701 in qwikالمعلومات

الملخص

بحسب MITRE • 20/03/2026

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

GitHub M

حجز

13/03/2026

إفشاء

20/03/2026

الاعتدال

تمت الموافقة

إدخال

VDB-352042

EPSS

0.00046

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-32701
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-32701
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-32701/

التالي نظرة عامة السابق

Might our Artificial Intelligence support you?

Check our Alexa App!