CVE-2026-35608
Stored XSS in QuickDrop File Preview via Malicious SVG Upload
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roastslav | quickdrop | to 1.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade QuickDrop to version 1.5.3 or later, where this stored XSS vulnerability in the file preview endpoint has been fixed.
Until the upgrade can be applied, restrict or disable the upload and preview of SVG files via the /api/file/upload-chunk endpoint to prevent malicious SVG files from being uploaded and executed.
Can you explain this vulnerability to me?
CVE-2026-35608 is a stored Cross-Site Scripting (XSS) vulnerability in the QuickDrop file sharing application, specifically affecting versions prior to 1.5.3.
The vulnerability exists in the file preview endpoint, where users can upload SVG files via the /api/file/upload-chunk endpoint. Although the application validates the file type, it does not sanitize or check the SVG content for embedded scripts.
An attacker can upload a specially crafted SVG file containing malicious JavaScript code. When any user previews this SVG file, the embedded script executes in the context of the application's domain, potentially allowing arbitrary script execution.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute arbitrary JavaScript code in the victim's browser when they view the preview of a malicious SVG file.
Such script execution can lead to theft of sensitive information, session hijacking, or other malicious actions performed within the context of the application.
Any user who previews the malicious SVG file is at risk, making it a significant security concern for the application and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to upload a specially crafted SVG file containing a JavaScript payload to the /api/file/upload-chunk endpoint and then previewing the file to see if the script executes.
A proof of concept involves creating an SVG file with a <script> tag that triggers an alert displaying the domain, uploading it to the target via the upload endpoint, and then accessing the file preview page to check for script execution.
Commands to test this could include using curl or similar tools to upload the crafted SVG file:
- curl -X POST -F '[email protected]' https://target-domain/api/file/upload-chunk
Then, manually visit the file preview page in a browser to observe if the JavaScript payload executes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows attackers to execute arbitrary JavaScript in the context of the application when users preview malicious SVG files.
Such a vulnerability can lead to unauthorized access to user data, session hijacking, or other malicious actions that compromise user privacy and data security.
This can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information.
Failure to address such vulnerabilities could result in data breaches or unauthorized data exposure, potentially leading to regulatory penalties or loss of trust.