Stored XSS Vulnerability in QuickDrop File Sharing Application
CVE-2026-35608

5.3MEDIUM

Key Information:

Vendor: Roastslav
Status: Quickdrop
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35608?

QuickDrop, a file sharing application, contains a stored XSS vulnerability affecting versions prior to 1.5.3. The issue arises from the application's handling of SVG files, which can be uploaded through the /api/file/upload-chunk endpoint. An attacker can exploit this by uploading a specifically crafted SVG that contains a malicious JavaScript payload. When any user subsequently views the file preview, the script executes within the application's domain, potentially compromising user data and security. This critical vulnerability has been addressed in version 1.5.3, and it is recommended that users upgrade to this version or later to maintain secure operations.

Affected Version(s)

quickdrop < 1.5.3

References

https://github.com/RoastSlav/quickdrop/security/advisorie...

x_refsource_CONFIRM

https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35608 Data

JSON

Roastslav

What is CVE-2026-35608?

Affected Version(s)

References

CVSS V4

Timeline