CVE-2026-32701
Published: 20 March 2026
Summary
CVE-2026-32701 is a high-severity Type Confusion (CWE-843) vulnerability in Qwik Qwik. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of flaws like the improper FormData parsing in Qwik versions prior to 1.19.2, enabling timely patching to version 1.19.2 or later.
Mandates validation of form data inputs at server boundaries to block mixed array-index and object-property keys that exploit dotted field name parsing into malformed structures.
Ensures error handling for parsing failures from malformed form data prevents denial of service via oversized lengths or request handling crashes without revealing sensitive information.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing web framework (T1190) via malicious form data causing type confusion and array corruption that crashes request handling (T1499.004).
NVD Description
Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be…
more
written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2.
Deeper analysisAI
CVE-2026-32701 affects Qwik, a performance-focused JavaScript framework, specifically versions prior to 1.19.2. The vulnerability arises during FormData parsing in Qwik City when processing application/x-www-form-urlencoded or multipart/form-data requests. Dotted field names, such as items.0 or items.1, are converted into nested structures, but the framework improperly infers arrays from these. This allows attackers to submit mixed array-index and object-property keys for the same path, enabling user-controlled properties like toString, push, valueOf, or length to be written onto expected array values. The issue is rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-843 (Type Confusion) and CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).
Attackers require no privileges and can exploit this remotely over the network with low complexity. By crafting form submissions with keys like items.0 alongside items.length or items.toString, they can alter server-side array-like structures unexpectedly. This leads to request handling failures, denial of service via malformed array states or oversized lengths, and type confusion in downstream application code.
The vulnerability was fixed in Qwik version 1.19.2. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/QwikDev/qwik/security/advisories/GHSA-whhv-gg5v-864r and the fixing commit at https://github.com/QwikDev/qwik/commit/7b5867c3dd8925df9aa96c4296b1e95a4c2af87d.
Details
- CWE(s)