GHSA-vv84-74f6-h4pqMediumCVSS 5.4

A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation,...

Published
June 8, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting when a victim visits the archive URL.

🔗 References (4)