CVE-2026-45229HIGH 8.8EPSS p28.4%

CVE-2026-45229CVE-2026-45229

Description

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.37% probability of exploitation · percentile 28.4% · 2026-06-19T12:03:05Z
Published2026-05-13
Last modified2026-05-14

Underlying weaknesses· 1

CWE-915

References

  1. https://github.com/Cp0204/quark-auto-save/commit/ea8377a596446291953dbe36e2d119d85bcd865b
  2. https://github.com/Cp0204/quark-auto-save/releases/tag/v0.8.5
  3. https://www.vulncheck.com/advisories/quark-drive-mass-assignment-via-post-update

1

TypeTargetConfidenceTier
WeaknessImproperly Controlled Modification of Dynamically-Determined Object Attributescwe-9150%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-25268
CVE
CVE-2025-62630
CVE
CVE-2024-56462
CVE
CVE-2026-33377
CVE
CVE-2026-22900
CVE
CVE-2026-45223
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.