CVE-2026-45228 - Vulnerability Details

- Quark Drive (quark-auto-save) < 0.8.5 Stored XSS via System Configuration

Description

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.

Published: 2026-05-13

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Quark Drive versions before 0.8.5 contain a stored cross‑site scripting flaw on the System Configuration page. Attackers who are authenticated can submit malicious HTML or JavaScript as key names through the POST /update endpoint. These values are persisted and rendered without escaping by Vue.js's v-html directive, causing any authenticated user who opens the System Configuration tab to execute the payload in their browser. The consequence is session cookie theft and execution of arbitrary authenticated actions.

Affected Systems

The vulnerability affects the Quark‑Drive application by Cp0204, specifically all releases older than 0.8.5. Users of these versions that grant authenticated access to the System Configuration page are vulnerable, regardless of the operating system or deployment platform.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score is not available, meaning no data is available to gauge current exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog, suggesting no documented exploitation yet. Exploitability requires valid user credentials; once authenticated, the attacker can inject payloads that will run in other users’ browsers. Because the payload runs in-browser, an attacker can steal session cookies or perform further authenticated actions within the application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cp0204

quark-auto-save

affected

Version	Status	Constraints
`0`	affected	< 0.8.5
`8436e2821988637ed7bfc5562544d089e6b29478`	unaffected	—

No data.

Vendor Product Confidence Versions

Cp0204

Quark-auto-save

100%

Version	Status	Scheme	Platform
`[0,0.8.5)`	affected	generic	—
`8436e2821988637ed7bfc5562544d089e6b29478`	unaffected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Quark Drive to version 0.8.5 or later.
If an upgrade is not immediately possible, restrict or disable the POST /update endpoint and the System Configuration tab for all users except trusted administrators.
Implement server‑side validation or sanitization of push_config key names to strip or encode any HTML or script content before storage.

Generated by OpenCVE AI on May 13, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Cp0204/quark-auto-save/commit/8436e2821988637ed7bfc5562544d089e6b29478
https://github.com/Cp0204/quark-auto-save/releases/tag/v0.8.5
https://www.vulncheck.com/advisories/quark-drive-stored-xss-via-system-configuration

History

Tue, 26 May 2026 00:00:00 +0000

Type	Values Removed	Values Added
Title	Quark Drive < 0.8.5 Stored XSS via System Configuration	Quark Drive (quark-auto-save) < 0.8.5 Stored XSS via System Configuration

Fri, 15 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cp0204 Cp0204 quark-auto-save
Vendors & Products		Cp0204 Cp0204 quark-auto-save

Wed, 13 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.
Title		Quark Drive < 0.8.5 Stored XSS via System Configuration
Weaknesses		CWE-79
References		https://github.com/Cp0204/quark-auto-save/commit/8436e2821988637ed7bfc5562544d089e6b29478 https://github.com/Cp0204/quark-auto-save/releases/tag/v0.8.5 https://www.vulncheck.com/advisories/quark-drive-stored-xss-via-system-configuration
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Subscriptions

Cp0204 Quark-auto-save

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-13T19:54:40.534Z

Updated: 2026-05-25T23:42:23.277Z

Reserved: 2026-05-11T14:14:49.611Z

Link: CVE-2026-45228

Vulnrichment

Updated: 2026-05-15T13:37:28.369Z

NVD

Status : Deferred

Published: 2026-05-13T21:16:49.583

Modified: 2026-05-14T16:24:56.240

Link: CVE-2026-45228

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:33:32Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object