CVE-2026-45228

Name of the Vulnerable Software and Affected Versions Quark Drive versions prior to 0.8.5

Description A stored cross-site scripting issue exists in the System Configuration page. The template renders push config key names using the Vue.js v-html directive without proper escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names via the "POST /update" endpoint. These payloads are saved to disk and executed in the browsers of all authenticated users who visit the System Configuration tab, potentially leading to session cookie exfiltration and unauthorized authenticated actions.

Recommendations Update to version 0.8.5 or later.