CVE-2026-35608 MEDIUM

CVE-2026-35608: QuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution

Vendor Roastslav

Product quickdrop

Weakness CWE-79 · XSS

Published April 7, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.

Key dates

Disclosure timeline

April 7, 2026 CVE published

April 7, 2026 Record updated