Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.
AnalysisAI
Stored cross-site scripting (XSS) in QuickDrop prior to version 1.5.3 allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of the application domain by uploading a malicious SVG file via the file upload endpoint and triggering execution when any user views the file preview. The vulnerability requires user interaction (viewing the preview) but no authentication, making it moderately exploitable in multi-user deployment scenarios where file sharing is expected functionality.
Technical ContextAI
QuickDrop is a file sharing application that accepts file uploads through the /api/file-upload-chunk endpoint. The vulnerability stems from insufficient input validation and output encoding on SVG files during the file preview process (CWE-79: Improper Neutralization of Input During Web Page Generation). SVG files are XML-based vector graphics that can embed JavaScript through event handlers and script tags; QuickDrop's preview mechanism does not properly sanitize or sandbox SVG content before rendering it in the user's browser within the application's same-origin context, allowing embedded malicious scripts to execute with the privileges of the authenticated or active session viewing the file.
RemediationAI
Upgrade QuickDrop to version 1.5.3 or later, which contains the fix for this stored XSS vulnerability. Users can obtain the patched version from the official GitHub releases page at https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3. Organizations unable to immediately upgrade should disable SVG file uploads via the /api/file/upload-chunk endpoint or restrict file preview functionality to authenticated users pending deployment of the patch. Refer to the security advisory at https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr for additional mitigation guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19784