XSS in Roastslav Quickdrop

CVE-2026-35608

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (14.4th percentile) — read the EPSS interpretation.

Affected products

Roastslav Quickdrop — versions < 1.5.3

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/RoastSlav/quickdrop/security/advisories/GHSA-f577-ffvv-w6rr (x_refsource_CONFIRM)
https://github.com/RoastSlav/quickdrop/releases/tag/v1.5.3 (x_refsource_MISC)