CVE-2026-32701 | QwikDev qwik up to 1.19.1 FormData Parser type confusion

VDB-352042 · CVE-2026-32701 · GCVE-0-2026-32701 QWIKDEV QWIK UP TO 1.19.1 FORMDATA PARSER TYPE CONFUSION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.3 $0-$5k 1.85+ Summaryinfo A vulnerability described as problematic has been identified in QwikDev qwik up to 1.19.1. This impacts an unknown function of the component FormData Parser. Executing a manipulation can lead to type confusion. This vulnerability is tracked as CVE-2026-32701. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended. Detailsinfo A vulnerability was found in QwikDev qwik up to 1.19.1. It has been declared as problematic. This vulnerability affects an unknown code block of the component FormData Parser. The manipulation with an unknown input leads to a type confusion vulnerability. The CWE definition for the vulnerability is CWE-843. The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. As an impact it is known to affect availability. CVE summarizes: Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2. The advisory is available at github.com. This vulnerability was named CVE-2026-32701 since 03/13/2026. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. The technical details are unknown and an exploit is not available. Upgrading to version 1.19.2 eliminates this vulnerability. Productinfo Vendor QwikDev Name qwik Version 1.19.0 1.19.1 Website Product: https://github.com/QwikDev/qwik/ CPE 2.3info 🔒 🔒 CPE 2.2info 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.4 VulDB Meta Temp Score: 6.3 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.5 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Type confusion CWE: CWE-843 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: qwik 1.19.2 Timelineinfo 03/13/2026 CVE reserved 03/20/2026 +7 days Advisory disclosed 03/20/2026 +0 days VulDB entry created 03/20/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: github.com Status: Confirmed CVE: CVE-2026-32701 (🔒) GCVE (CVE): GCVE-0-2026-32701 GCVE (VulDB): GCVE-100-352042 Entryinfo Created: 03/20/2026 10:12 Changes: 03/20/2026 10:12 (63) Complete: 🔍 Cache ID: 99:610:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸