Executive Summary

CVE-2026-11569 is a stored cross-site scripting (XSS) vulnerability in the Quay container registry's filedrop endpoint.

The filedrop endpoint accepts any MIME type without proper validation, including SVG files.

An authenticated user with repository write access can upload a malicious SVG file containing embedded JavaScript.

This malicious SVG file is stored in the object storage backend and served through the legitimate Quay domain via the CDN.

When a victim visits an archive URL referencing this file, their browser renders the SVG inline and executes the malicious JavaScript.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with repository write access to execute malicious JavaScript in the context of a victim's browser when they visit a specific archive URL.

The impact includes stored cross-site scripting attacks which can lead to information disclosure or manipulation of the victim's interaction with the Quay service.

However, session hijacking is mitigated because the _csrf_token session cookie is protected with HttpOnly and Secure attributes.

The overall severity of this vulnerability is medium.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if malicious SVG files containing JavaScript have been uploaded via the filedrop endpoint in Quay.

Since the vulnerability allows authenticated users with repository write access to upload SVG files without MIME type validation, you can check the repository for SVG files uploaded recently.

Commands to detect potentially malicious SVG files might include searching the repository or object storage backend for SVG files and inspecting them for embedded JavaScript.

• Use repository or storage search commands to find SVG files, for example: `find /path/to/object/storage -name '*.svg'`
• Use grep or similar tools to check for JavaScript inside SVG files, for example: `grep -i '<script' /path/to/object/storage/*.svg`

Additionally, monitoring HTTP requests to the filedrop endpoint for uploads with suspicious MIME types or SVG files can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting repository write access to trusted users only, to limit who can upload files via the filedrop endpoint.

Implement MIME type validation on the filedrop endpoint to prevent uploading of SVG files or other potentially dangerous file types.

Review and remove any existing SVG files containing JavaScript from the object storage backend.

Monitor access logs and file uploads for suspicious activity related to the filedrop endpoint.

Apply any available patches or updates from the Quay maintainers that address this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user with repository write access to upload malicious SVG files containing JavaScript, which can lead to stored cross-site scripting (XSS) attacks when victims visit affected URLs.

Such XSS vulnerabilities can potentially expose users to unauthorized script execution, which may lead to data exposure or manipulation.

While session hijacking is mitigated by HttpOnly and Secure cookie attributes, the presence of stored XSS could still pose risks to confidentiality and integrity of data.

Therefore, this vulnerability could impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.

Useful 0 Not Useful 0