Red Hat · Quay · CVE-2026-11569
**Name of the Vulnerable Software and Affected Versions**
Quay (affected versions not specified)
**Description**
A flaw exists in the 'filedrop' endpoint that accepts any mime type without validation. This allows an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. Because the file is stored and served inline through the CDN, it enables stored cross-site scripting (XSS), which is a technique where a malicious script is permanently stored on the target server and executed when a victim visits the archive URL.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.