Skip to main content

Quark Auto Save

2 CVEs product

Monthly

CVE-2026-45228 MEDIUM PATCH This Month

Stored cross-site scripting in Quark Drive (quark-auto-save) before version 0.8.5 allows an authenticated low-privileged user to inject persistent JavaScript payloads that execute in the browsers of all authenticated users who view the System Configuration page. The root cause is Vue.js's v-html directive rendering push_config key names as raw HTML without sanitization, with payloads written to disk via the POST /update endpoint. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation probability, but the persistent, multi-victim nature of the stored XSS elevates real-world impact in multi-user deployments.

XSS Quark Auto Save
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-45229 HIGH PATCH This Week

Mass assignment in Quark Auto Save (also referenced as Quark Drive) before version 0.8.5 lets authenticated users overwrite administrator credentials by posting an arbitrary 'webui' object to the config_data dictionary through the POST /update endpoint. Successful exploitation locks out legitimate administrators and grants persistent control over scheduled tasks, cloud storage tokens, and notification integrations. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.05% (16th percentile), though a vendor patch is available in release v0.8.5.

Information Disclosure Quark Auto Save
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Quark Drive (quark-auto-save) before version 0.8.5 allows an authenticated low-privileged user to inject persistent JavaScript payloads that execute in the browsers of all authenticated users who view the System Configuration page. The root cause is Vue.js's v-html directive rendering push_config key names as raw HTML without sanitization, with payloads written to disk via the POST /update endpoint. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) signals very low current exploitation probability, but the persistent, multi-victim nature of the stored XSS elevates real-world impact in multi-user deployments.

XSS Quark Auto Save
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Mass assignment in Quark Auto Save (also referenced as Quark Drive) before version 0.8.5 lets authenticated users overwrite administrator credentials by posting an arbitrary 'webui' object to the config_data dictionary through the POST /update endpoint. Successful exploitation locks out legitimate administrators and grants persistent control over scheduled tasks, cloud storage tokens, and notification integrations. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.05% (16th percentile), though a vendor patch is available in release v0.8.5.

Information Disclosure Quark Auto Save
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy