CVE Catalog

CVE-2026-11569

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Summary

A flaw was found in Quay that allows authenticated users with repository write access to upload SVG files containing JavaScript. The file is stored and served through the CDN, enabling stored cross-site scripting.

Risk Assessment

The organization is at risk of XSS attacks, which could lead to user data theft or session hijacking. Exploiting this vulnerability may compromise application integrity and data security.

Recommendation

It is recommended to implement MIME type validation for uploaded files and restrict the ability to upload SVG files by users with repository write access.

Original NVD description (English source)

A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting when a victim visits the archive URL.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS