{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35608", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.163Z", "datePublished": "2026-04-07T16:35:08.606Z", "dateUpdated": "2026-04-07T18:30:02.117Z"}, "containers": {"cna": {"title": "QuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr"}, {"name": "https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3"}], "affected": [{"vendor": "RoastSlav", "product": "quickdrop", "versions": [{"version": "< 1.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:35:08.606Z"}, "descriptions": [{"lang": "en", "value": "QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3."}], "source": {"advisory": "GHSA-f577-ffvv-w6rr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:29:45.946621Z", "id": "CVE-2026-35608", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:30:02.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35608", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T18:29:45.946621Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:29:54.717Z"}}], "cna": {"title": "QuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution", "source": {"advisory": "GHSA-f577-ffvv-w6rr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "RoastSlav", "product": "quickdrop", "versions": [{"status": "affected", "version": "< 1.5.3"}]}], "references": [{"url": "https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr", "name": "https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3", "name": "https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T16:35:08.606Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35608", "state": "PUBLISHED", "dateUpdated": "2026-04-07T18:30:02.117Z", "dateReserved": "2026-04-03T21:25:12.163Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T16:35:08.606Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roastslav:quickdrop:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D9B08F5-7532-48BD-93FE-43E2C35A93DD", "versionEndExcluding": "1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3."}], "id": "CVE-2026-35608", "lastModified": "2026-04-15T17:20:39.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:35.103", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "quickdrop", "source": "cna", "vendor": "RoastSlav"}, "product": "quickdrop", "vendor": "roastslav"}], "analysis": {"en": {"generated_at": "2026-04-07T22:08:07.580953+00:00", "value": {"mitigation_remediation": ["Upgrade QuickDrop to version 1.5.3 or later.", "Verify that no older version is deployed in the environment.", "If an upgrade is not possible immediately, block or sanitize SVG file uploads to remove embedded scripts.", "Monitor user sessions for signs of cross\u2011site scripting activity."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of RoastSlav QuickDrop that are running a version older than 1.5.3.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw located in the file preview feature of QuickDrop. It allows an attacker to upload an SVG file via the /api/file/upload\u2011chunk endpoint that contains embedded JavaScript. When any user opens the preview, the script executes in the context of the application\u2019s domain, which can lead to session hijacking, data theft or defacement. This weakness is classified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 5.3 indicates medium severity, and the CVE is not currently listed in CISA\u2019s KEV catalog. Because the exploit requires only the ability to upload a file, an attacker can trigger the payload by tricking a user into opening a malicious preview or by compromising an account with upload privileges. The lack of an EPSS score means we have no precise measure of exploit prevalence, but the straightforward upload mechanism suggests a moderate likelihood of exploitation."}}}}, "created": "2026-04-08T19:36:48.170566+00:00", "updated": "2026-04-08T19:47:51.476682+00:00", "vendors": ["roastslav", "roastslav$PRODUCT$quickdrop"]}