Quark Drive < 0.8.5 Mass Assignment via POST /update

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.

AI Analysis

Mass assignment vulnerability allowing authenticated attackers to overwrite administrator credentials via the POST /update endpoint.

Basic Information

ID CVE-2026-45229

Source VulnCheck

Published May 13, 2026 at 19:54

Affected Product

Vendor Cp0204

Product quark-auto-save

Affected Versions Cp0204 quark-auto-save 0

CWE Classification

CWE-915

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Cp0204

Product quark-auto-save

Version 0.8.5 and earlier

References

{
    "lastseen": "",
    "description": "Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.",
    "published": "2026-05-13T19:54:14.459Z",
    "modified": "2026-05-13T19:54:14.459Z",
    "type": "cve",
    "title": "Quark Drive < 0.8.5 Mass Assignment via POST /update",
    "source": "VulnCheck",
    "references": "https://github.com/Cp0204/quark-auto-save/releases/tag/v0.8.5\nhttps://github.com/Cp0204/quark-auto-save/commit/ea8377a596446291953dbe36e2d119d85bcd865b\nhttps://www.vulncheck.com/advisories/quark-drive-mass-assignment-via-post-update",
    "id": "CVE-2026-45229",
    "bulletinFamily": "",
    "cwe": [
        "CWE-915"
    ],
    "cvelist": null,
    "sourceData": "Cp0204 quark-auto-save 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "quark-auto-save",
    "version": "0",
    "vendor": "Cp0204",
    "ai_description": "Mass assignment vulnerability allowing authenticated attackers to overwrite administrator credentials via the POST /update endpoint.",
    "ai_severity": "High",
    "ai_vendor": "Cp0204",
    "ai_product": "quark-auto-save",
    "ai_version": "0.8.5 and earlier",
    "ai_score": 8.7
}

Quark Drive < 0.8.5 Mass Assignment via POST /update_CVE-2026-45229