Quay: quay: stored xss via filedrop svg upload
CVE-2026-11569

5.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Quay 3
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-11569?

A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting when a victim visits the archive URL.

References

https://access.redhat.com/security/cve/CVE-2026-11569

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2486194

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

This issue was discovered by Toni Gornals (Red Hat Product Security).

CVE-2026-11569 Data

JSON