CVE-2026-45228 MEDIUM

CVE-2026-45228: Quark Drive (quark-auto-save) < 0.8.5 Stored XSS via System Configuration

Vendor Cp0204

Product quark-auto-save

Weakness CWE-79 · XSS

Published May 13, 2026

Last update May 25, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.

Key dates

02Disclosure timeline

May 13, 2026 CVE published

May 25, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-45228

Related vulnerabilities

04Related CVE

CVE-2024-29909 WordPress Travelers' Map plugin <= 2.2.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-32680 WordPress Review Stream plugin <= 1.6.7 - Cross Site Scripting (XSS) vulnerability CVE-2024-2474 Standout Color Boxes and Buttons <= 0.7.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2022-45363 WordPress Betheme premium theme <= 26.6.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability CVE-2025-31772 WordPress WP Modal Popup with Cookie Integration plugin <= 2.4 - Cross Site Scripting (XSS) vulnerability