A flaw in the Quay filedrop endpoint fails to validate MIME types, allowing an authenticated user with repository write access to upload an SVG that contains embedded JavaScript. Once uploaded, the SVG file is stored and later served inline through the CDN. When a victim visits the archive URL, the injected script runs in the victim’s browser, enabling stored cross‑site scripting. The vulnerability is an example of CWE‑79 and can compromise the confidentiality of information accessed by the victim or exfiltrate data through the injected code. No remote code execution is reported, but the attacker’s impact is limited to the web session of any user who views the malicious asset.

Red Hat Quay 3 – the CVE payload does not specify affected version ranges. The flaw exists in the filedrop component of Quay and may impact any deployed instance of Quay 3. Users should verify whether they run a version that includes the filedrop MIME‑type validation fix, if available.

The CVSS base score of 5.4 indicates a medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated account with write permission to a repository and the ability to visit the URL hosting the uploaded SVG. While the likelihood of exploitation in the wild is uncertain, a compromised or poorly managed repository could be used to deliver the malicious file to a broad audience through shared archives. The risk to an organization is thus dependent on its exposure to users who may load such assets and on the control of repository write privileges.