Skip to main content

Quark Drive EUVDEUVD-2026-30173

| CVE-2026-45228 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-13 VulnCheck GHSA-x5pg-vffv-c3g7
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 10:47 vuln.today
Analysis Generated
Jun 08, 2026 - 10:47 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)

DescriptionCVE.org

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.

AnalysisAI

Stored cross-site scripting in Quark Drive (quark-auto-save) before version 0.8.5 allows an authenticated low-privileged user to inject persistent JavaScript payloads that execute in the browsers of all authenticated users who view the System Configuration page. The root cause is Vue.js's v-html directive rendering push_config key names as raw HTML without sanitization, with payloads written to disk via the POST /update endpoint. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation probability, but the persistent, multi-victim nature of the stored XSS elevates real-world impact in multi-user deployments.

Technical ContextAI

The affected product, identified in CPE as cpe:2.3:a:cp0204:quark-auto-save:*:*:*:*:*:*:*:*, is a self-hosted automation tool branded as Quark Drive. The vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) originates in the frontend templating layer, where the System Configuration page uses Vue.js's v-html directive to render push_config key names. Unlike Vue's default double-brace interpolation {{ }}, the v-html directive bypasses Vue's built-in HTML escaping and injects raw markup directly into the DOM, making it inherently unsafe for user-controlled content. The POST /update backend endpoint accepts and persists these key names to disk without server-side sanitization, meaning the payload survives across server restarts and affects every authenticated session that loads the System Configuration tab, not just the submitting user.

RemediationAI

Upgrade to quark-auto-save v0.8.5, which addresses this vulnerability via commit 8436e2821988637ed7bfc5562544d089e6b29478 (release notes explicitly note 'security(index.html): prevent potential XSS issues'). The patched release is available at https://github.com/Cp0204/quark-auto-save/releases/tag/v0.8.5. If immediate upgrade is not possible, restrict access to the POST /update endpoint to only the most trusted administrator accounts through application-layer or network-layer access controls, accepting the trade-off that this limits legitimate configuration management. Additionally, consider restricting navigation to the System Configuration tab to a minimal set of admin users to reduce victim surface. Stripping existing stored payloads from the push_config key name data on disk should be performed after patching to ensure previously injected content is neutralized.

Share

EUVD-2026-30173 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy