Cyber Resilience

CVE-2026-45229

HighPublic PoC

Published: 13 May 2026

Published
13 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 28.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-45229 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently…

more

replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Mass assignment on config endpoint directly enables overwriting admin credentials (T1098 Account Manipulation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-48150Shared CWE-915
CVE-2025-15602Shared CWE-915
CVE-2026-29056Shared CWE-915
CVE-2026-6912Shared CWE-915
CVE-2026-40897Shared CWE-915
CVE-2026-33453Shared CWE-915
CVE-2026-5708Shared CWE-915
CVE-2026-34406Shared CWE-915
CVE-2026-34427Shared CWE-915
CVE-2026-34179Shared CWE-915

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References