CVE-2026-25151 - Qwik City has a CSRF Protection Bypass via Content-Type Header Validation

CVE ID : CVE-2026-25151 Published : Feb. 3, 2026, 10:16 p.m. | 49 minutes ago Description : Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0. Severity: 5.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...