Stored Cross-Site Scripting Vulnerability in Quark Drive by Cp0204
CVE-2026-45228

5.1MEDIUM

Key Information:

Vendor

Cp0204

Status
Quark-auto-save
Vendor
CVE Published:
13 May 2026

What is CVE-2026-45228?

Quark Drive prior to version 0.8.5 is susceptible to a stored cross-site scripting vulnerability that affects the System Configuration page. This vulnerability allows authenticated attackers to inject malicious HTML or JavaScript payloads into the push_config key names using Vue.js’s v-html directive, which does not properly escape such inputs. The injected code is stored on disk and executed in the browsers of all users accessing the System Configuration tab, creating opportunities for session cookie theft and enabling unauthorized actions that can compromise user accounts.

Affected Version(s)

quark-auto-save 0

quark-auto-save 0 < 0.8.5

quark-auto-save 8436e2821988637ed7bfc5562544d089e6b29478

References

https://github.com/Cp0204/quark-auto-save/releases/tag/v0...
release-notes
https://github.com/Cp0204/quark-auto-save/commit/8436e282...
patch
https://www.vulncheck.com/advisories/quark-drive-stored-x...
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Katriel Moses
.