CVE-2026-25151
Qwik City has a CSRF Protection Bypass via Content-Type Header ValidationQwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.
We have discovered 12,936 live websites that are affected by CVE-2026-25151.
Affected Software
| Product | |
| Category | Web Application Frameworks |
| Vulnerable Domains | 12,936 live websites (100% of Qwik install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 40 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-352 Cross-Site Request Forgery (CSRF)Details
- Published - Feb 3, 2026
- Updated - Feb 4, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-25151 United States | 9,502 websites |
 GB | 311 websites |
 Germany | 55 websites |
 Canada | 32 websites |
 Iran | 12 websites |
 France | 10 websites |
 Poland | 9 websites |
 Czech Republic | 8 websites |
 Portugal | 8 websites |
Website Distribution by TLD
Number of websites using CVE-2026-25151| .com | 8,043 websites |
| .de | 675 websites |
| .net | 450 websites |
| .info | 427 websites |
| .co.uk | 308 websites |
| .org | 144 websites |
| .co | 21 websites |
| .at | 8 websites |
| .fr | 8 websites |
| .io | 8 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-25151
Top websites that are affected by CVE-2026-25151. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.jobs | United States | *,*** | |
| ***********.com | United States | *,*** | |
| **.com | United States | *,*** | |
| ******.at |  Austria | *,*** | |
| ***********.com | United States | **,*** | |
| *******.online | United States | **,*** | |
| *******.com | United States | **,*** | |
| ********.com | United States | **,*** | |
| ***.ch | United States | **,*** | |
| *****.com | United States | **,*** |
FAQ
CVE-2026-25151 is Cross-Site Request Forgery (CSRF) in Qwik
A total of 12,936 websites have been identified as vulnerable to CVE-2026-25151, based on global website indexing conducted by WebTechSurvey.
The Qwik is affected by the CVE-2026-25151 vulnerability.
Qwik versions up to 1.19 are vulnerable to CVE-2026-25151.
CVE-2026-25151 is resolved in version 1.19 of Qwik.