CVE-2026-45228
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk8th percentile - higher than 8% of all known CVEs
Summary
Quark Drive before version 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page. The template renders push_config key names using Vue.js's v-html directive without escaping, allowing authenticated attackers to inject HTML or JavaScript payloads via the POST /update endpoint. The injected payload is persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab.
Risk Assessment
The risk includes session cookie exfiltration and arbitrary authenticated actions, potentially leading to account takeover and privilege escalation within the system.
Recommendation
Immediately upgrade Quark Drive to version 0.8.5 or later, which includes a fix for this vulnerability. Additionally, restrict access to the POST /update endpoint to trusted administrators only.
Original NVD description (English source)
Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.

