CVE-2026-45228: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Cp0204 quark-auto-save
Quark Drive versions before 0. 8. 5 contain a stored cross-site scripting (XSS) vulnerability in the System Configuration page. The vulnerability arises because the application uses Vue. js's v-html directive to render push_config key names without proper escaping. Authenticated attackers can inject malicious HTML or JavaScript payloads as key names via the POST /update endpoint. These payloads are saved to disk and executed in the browsers of authenticated users who access the System Configuration tab. This can lead to session cookie theft and unauthorized actions performed with the victim's privileges.
AI Analysis
Technical Summary
CVE-2026-45228 is a stored cross-site scripting vulnerability in Cp0204's quark-auto-save product, specifically in Quark Drive versions before 0.8.5. The issue occurs because the System Configuration page renders push_config key names using Vue.js's v-html directive without escaping input. Authenticated users can exploit this by injecting malicious HTML or JavaScript payloads through the POST /update endpoint. These payloads persist on disk and execute in the context of other authenticated users viewing the System Configuration tab, enabling session cookie exfiltration and arbitrary authenticated actions.
Potential Impact
Successful exploitation allows authenticated attackers to execute arbitrary JavaScript in the browsers of other authenticated users. This can lead to session cookie theft and unauthorized actions performed with the victim's privileges within the application. The vulnerability affects confidentiality and integrity of user sessions but requires attacker authentication and user interaction to trigger.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the System Configuration page to trusted users only and monitor for suspicious activity. Avoid using untrusted input in contexts rendered with v-html or similar directives without proper escaping.
CVE-2026-45228: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Cp0204 quark-auto-save
Description
Quark Drive versions before 0. 8. 5 contain a stored cross-site scripting (XSS) vulnerability in the System Configuration page. The vulnerability arises because the application uses Vue. js's v-html directive to render push_config key names without proper escaping. Authenticated attackers can inject malicious HTML or JavaScript payloads as key names via the POST /update endpoint. These payloads are saved to disk and executed in the browsers of authenticated users who access the System Configuration tab. This can lead to session cookie theft and unauthorized actions performed with the victim's privileges.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45228 is a stored cross-site scripting vulnerability in Cp0204's quark-auto-save product, specifically in Quark Drive versions before 0.8.5. The issue occurs because the System Configuration page renders push_config key names using Vue.js's v-html directive without escaping input. Authenticated users can exploit this by injecting malicious HTML or JavaScript payloads through the POST /update endpoint. These payloads persist on disk and execute in the context of other authenticated users viewing the System Configuration tab, enabling session cookie exfiltration and arbitrary authenticated actions.
Potential Impact
Successful exploitation allows authenticated attackers to execute arbitrary JavaScript in the browsers of other authenticated users. This can lead to session cookie theft and unauthorized actions performed with the victim's privileges within the application. The vulnerability affects confidentiality and integrity of user sessions but requires attacker authentication and user interaction to trigger.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the System Configuration page to trusted users only and monitor for suspicious activity. Avoid using untrusted input in contexts rendered with v-html or similar directives without proper escaping.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-11T14:14:49.611Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a04e0c9cbff5d8610081152
Added to database: 5/13/2026, 8:36:25 PM
Last enriched: 5/13/2026, 8:52:21 PM
Last updated: 5/13/2026, 10:26:02 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.