Vulnerability Description
Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/Cp0204/quark-auto-save/commit/8436e2821988637ed7bfc5562544d08
- https://github.com/Cp0204/quark-auto-save/releases/tag/v0.8.5
- https://www.vulncheck.com/advisories/quark-drive-stored-xss-via-system-configura
FAQ
What is CVE-2026-45228?
CVE-2026-45228 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without ...
How severe is CVE-2026-45228?
CVE-2026-45228 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-45228?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.