CVE-2026-45228 Overview
CVE-2026-45228 is a stored cross-site scripting (XSS) vulnerability in Quark Drive versions before 0.8.5. The flaw resides in the System Configuration page, where the Vue.js template renders push_config key names using the v-html directive without escaping. Authenticated attackers can submit HTML or JavaScript payloads as key names through the POST /update endpoint. The payloads persist to disk and execute in the browsers of every authenticated user who later opens the System Configuration tab. The issue is tracked under CWE-79.
Critical Impact
Stored XSS enables session cookie exfiltration and arbitrary authenticated actions against any user viewing the System Configuration tab.
Affected Products
- Quark Drive (quark-auto-save) versions prior to 0.8.5
- System Configuration page rendering push_config key names
- Deployments exposing the POST /update endpoint to authenticated users
Discovery Timeline
- 2026-05-13 - CVE-2026-45228 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45228
Vulnerability Analysis
The vulnerability stems from unsafe template rendering in the Quark Drive web interface. The System Configuration view iterates over the push_config object and emits each key name through Vue.js's v-html directive. v-html renders raw HTML and bypasses Vue's default text interpolation escaping. Any HTML or JavaScript provided as a configuration key name is parsed by the browser when the page loads.
Because configuration data is submitted through the POST /update endpoint and written to disk, the injected payload persists across sessions and restarts. Every authenticated user who navigates to the System Configuration tab triggers execution in their browser context. The attacker requires only low-privilege authenticated access, and the victim must visit the affected tab.
Impact includes session cookie theft, account takeover through forced configuration changes, and arbitrary actions performed under the victim's identity. Administrators visiting the tab expose the highest-privilege sessions on the instance.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The frontend trusts attacker-controlled configuration key names and renders them as HTML rather than text. No server-side sanitization is applied before persistence, and no client-side escaping is applied at render time.
Attack Vector
An authenticated attacker submits a crafted request to POST /update containing a push_config entry whose key name is an HTML or JavaScript payload. The server persists the entry. When any authenticated user opens the System Configuration tab, the payload executes in the browser. See the VulnCheck Security Advisory for additional technical detail.
// No verified exploit code is published. Conceptually, the malicious key name
// is injected via POST /update and rendered by Vue's v-html directive on the
// System Configuration page, causing script execution in viewer browsers.
Detection Methods for CVE-2026-45228
Indicators of Compromise
- push_config entries whose key names contain HTML tags such as <script>, <img>, <svg>, or event handler attributes like onerror= and onload=
- Unexpected outbound requests from administrator browsers immediately after loading the System Configuration tab
- Configuration files on disk containing non-alphanumeric characters in push_config key names
Detection Strategies
- Inspect the persisted Quark Drive configuration file for push_config keys that contain angle brackets, quotes, or JavaScript URI schemes.
- Review HTTP access logs for POST /update requests from low-privilege accounts containing payload-like strings in the request body.
- Monitor browser-side errors or Content Security Policy violations originating from the /system or configuration routes.
Monitoring Recommendations
- Alert on any modification to push_config and capture the requesting user and source IP.
- Track session cookie usage patterns for administrators after they access the System Configuration tab, looking for replay from new IP addresses.
- Forward Quark Drive application logs to a centralized log platform for correlation with authentication events.
How to Mitigate CVE-2026-45228
Immediate Actions Required
- Upgrade Quark Drive (quark-auto-save) to version 0.8.5 or later, which contains the fix referenced in the GitHub Release v0.8.5.
- Audit the current configuration file and remove any push_config keys with suspicious or non-standard characters.
- Rotate session cookies and credentials for users who accessed the System Configuration tab before patching.
Patch Information
The maintainers fixed the issue in version 0.8.5. The remediation commit is available in the GitHub Commit Log. The fix removes the use of v-html for untrusted key names and applies proper escaping during template rendering.
Workarounds
- Restrict access to the POST /update endpoint to trusted administrators using a reverse proxy ACL until the upgrade is applied.
- Deploy a strict Content Security Policy that disallows inline script execution on the Quark Drive web interface to reduce payload impact.
- Avoid using the System Configuration tab on unpatched instances until the upgrade to 0.8.5 is complete.
# Upgrade quark-auto-save to the patched release
git fetch --tags
git checkout v0.8.5
# Or, for Docker-based deployments
docker pull cp0204/quark-auto-save:v0.8.5
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
