CVE-2026-35608
MEDIUMQuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution
Title source: cnaDescription
QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr
X_Refsource_Misc x_refsource_misc
https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3
Scores
CVSS v3
6.1
EPSS
0.0019
EPSS Percentile
8.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
roastslav/quickdrop
< 1.5.3
RoastSlav/quickdrop
< 1.5.3
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026