CVE-2026-45229 HIGH

CVE-2026-45229: Quark Drive (quark-auto-save) < 0.8.5 Mass Assignment via POST /update

Vendor Cp0204
Product quark-auto-save
Weakness CWE-915
Published May 13, 2026
Last update May 25, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 25, 2026 Record updated

Related vulnerabilities

04Related CVE