The vulnerability exists in the bootbox component of the container image labels within Quay. Specifically, the bootbox title dialog is not properly sanitized. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry, containing a script that can be executed via XSS.