CVE-2026-35608

UNKNOWN 0.0

QuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScript payload. When any user views the file preview, the script executes in the context of the application's domain. This vulnerability is fixed in 1.5.3.

CWE	CWE-79
Vendor	roastslav
Product	quickdrop
Published	Apr 7, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for roastslav quickdrop

Be the first to know when new unknown vulnerabilities affecting roastslav quickdrop are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

RoastSlav / quickdrop

< 1.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr github.com: https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3