Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting when a victim visits the archive URL.
AnalysisAI
Stored cross-site scripting in Red Hat Quay 3.x allows an authenticated user with repository write access to upload a malicious SVG file via the filedrop endpoint, which lacks MIME type validation. The uploaded file is persisted and served inline through the CDN, meaning any victim who visits the archive URL will have attacker-controlled JavaScript execute in their browser. No public exploit has been identified at time of analysis, and exploitation requires both repository write privileges and victim interaction, limiting opportunistic mass exploitation.
Technical ContextAI
Red Hat Quay is a container image registry platform. Its filedrop endpoint - used for uploading archive or artifact content - fails to validate or restrict the MIME types of uploaded files. SVG is an XML-based image format natively supported by browsers, and the SVG specification permits embedded JavaScript (e.g., via <script> tags or event handlers). When an SVG containing JavaScript is stored and the CDN serves it inline rather than forcing a download disposition, the browser executes the script in the context of the Quay origin. This is a CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS) root cause: untrusted user input is stored and later reflected into a web context without sanitization. The Changed Scope (S:C) in the CVSS vector indicates that the impacted security context extends beyond the vulnerable component itself, consistent with session hijacking or credential theft affecting other Quay users.
RemediationAI
No specific patched version was confirmed in the available source data. Administrators should consult the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2026-11569 and the Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2486194 for patch availability and upgrade instructions as Red Hat releases a fix. As a compensating control pending a patch, operators can restrict access to the filedrop endpoint at the network or reverse-proxy layer to limit which accounts or IP ranges can submit uploads - trade-off: this may disrupt legitimate CI/CD pipeline workflows that rely on artifact uploads. Additionally, configuring the CDN or web server to force a Content-Disposition: attachment header for all filedrop-served content would prevent inline browser rendering of SVG files, eliminating the XSS execution path without blocking the upload feature itself - this is a low-disruption mitigation that does not affect file storage or download workflows. Auditing existing uploaded files in the filedrop directory for SVG files with embedded script content is also advisable.
More in Red Hat Quay 3
View allAuthenticated remote code execution in Red Hat Quay 3 and Mirror Registry for Red Hat OpenShift arises from unsafe deser
Red Hat Quay's container image upload mechanism allows authenticated users with push privileges to interfere with concur
Server-side request forgery (SSRF) in Red Hat Mirror Registry and Red Hat Quay 3.x allows authenticated users to conduct
Server-Side Request Forgery (SSRF) in Red Hat Quay's Proxy Cache configuration allows authenticated organization adminis
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35044
GHSA-vv84-74f6-h4pq