CVE-2026-45228
MEDIUMQuark Drive < 0.8.5 Stored XSS via System Configuration
Title source: cnaDescription
Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.
References (3)
Core 3
Core References
Release Notes release-notes
https://github.com/Cp0204/quark-auto-save/releases/tag/v0.8.5
Patch patch
https://github.com/Cp0204/quark-auto-save/commit/8436e2821988637ed7bfc5562544d089e6b29478
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/quark-drive-stored-xss-via-system-configuration
Scores
CVSS v3
5.4
EPSS
0.0018
EPSS Percentile
8.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
Cp0204/quark-auto-save
< 0.8.5
Cp0204/quark-auto-save
8436e2821988637ed7bfc5562544d089e6b29478
Published
May 13, 2026
Tracked Since
May 14, 2026