Skip to main content

Quickdrop EUVDEUVD-2026-19784

| CVE-2026-35608 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.5.3
EUVD ID Assigned
Apr 07, 2026 - 17:00 euvd
EUVD-2026-19784
Analysis Generated
Apr 07, 2026 - 17:00 vuln.today
CVE Published
Apr 07, 2026 - 16:35 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.

AnalysisAI

Stored cross-site scripting (XSS) in QuickDrop prior to version 1.5.3 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of the application domain by uploading a malicious SVG file via the file upload endpoint and triggering execution when any user views the file preview. The vulnerability requires user interaction (viewing the preview) but no authentication, making it moderately exploitable in multi-user deployment scenarios where file sharing is expected functionality.

Technical ContextAI

QuickDrop is a file sharing application that accepts file uploads through the /api/file-upload-chunk endpoint. The vulnerability stems from insufficient input validation and output encoding on SVG files during the file preview process (CWE-79: Improper Neutralization of Input During Web Page Generation). SVG files are XML-based vector graphics that can embed JavaScript through event handlers and script tags; QuickDrop's preview mechanism does not properly sanitize or sandbox SVG content before rendering it in the user's browser within the application's same-origin context, allowing embedded malicious scripts to execute with the privileges of the authenticated or active session viewing the file.

RemediationAI

Upgrade QuickDrop to version 1.5.3 or later, which contains the fix for this stored XSS vulnerability. Users can obtain the patched version from the official GitHub releases page at https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3. Organizations unable to immediately upgrade should disable SVG file uploads via the /api/file/upload-chunk endpoint or restrict file preview functionality to authenticated users pending deployment of the patch. Refer to the security advisory at https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr for additional mitigation guidance.

Share

EUVD-2026-19784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy