Description
QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw located in the file preview feature of QuickDrop. It allows an attacker to upload an SVG file via the /api/file/upload‑chunk endpoint that contains embedded JavaScript. When any user opens the preview, the script executes in the context of the application’s domain, which can lead to session hijacking, data theft or defacement. This weakness is classified as CWE‑79.

Affected Systems

The flaw affects all installations of RoastSlav QuickDrop that are running a version older than 1.5.3.

Risk and Exploitability

The CVSS base score of 5.3 indicates medium severity, and the CVE is not currently listed in CISA’s KEV catalog. Because the exploit requires only the ability to upload a file, an attacker can trigger the payload by tricking a user into opening a malicious preview or by compromising an account with upload privileges. The lack of an EPSS score means we have no precise measure of exploit prevalence, but the straightforward upload mechanism suggests a moderate likelihood of exploitation.

Generated by OpenCVE AI on April 7, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade QuickDrop to version 1.5.3 or later.
  • Verify that no older version is deployed in the environment.
  • If an upgrade is not possible immediately, block or sanitize SVG file uploads to remove embedded scripts.
  • Monitor user sessions for signs of cross‑site scripting activity.

Generated by OpenCVE AI on April 7, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:roastslav:quickdrop:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Roastslav
Roastslav quickdrop
Vendors & Products Roastslav
Roastslav quickdrop

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.
Title QuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Roastslav Quickdrop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:30:02.117Z

Reserved: 2026-04-03T21:25:12.163Z

Link: CVE-2026-35608

cve-icon Vulnrichment

Updated: 2026-04-07T18:29:54.717Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:35.103

Modified: 2026-04-15T17:20:39.030

Link: CVE-2026-35608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:47:51Z

Weaknesses