anonhaven
Ad

CVE-2026-35608

MEDIUM CVSS 4.0: 5.3 EPSS 0.05%
Updated Apr 07, 2026
Payload
Parameter Value
CVSS 5.3 (MEDIUM)
Fixed In 1.5.3
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Payload
Public PoC No

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint.

An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 2

https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3
security-advisories@github.com
https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-39338

Payload

8.6

CVE-2026-35576

Payload

8.7

CVE-2026-39306

Payload

7.3

CVE-2026-33865

Payload

5.1

CVE-2026-4420

Payload

5.1