CVE-2026-11569

Name of the Vulnerable Software and Affected Versions Quay (affected versions not specified)

Description A flaw exists in the 'filedrop' endpoint that accepts any mime type without validation. This allows an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. Because the file is stored and served inline through the CDN, it enables stored cross-site scripting (XSS), which is a technique where a malicious script is permanently stored on the target server and executed when a victim visits the archive URL.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.