CVE-2026-39848

🗓️ 09 Apr 2026 21:44:44Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 6 Views🌐 WEB

CVE-2026-39848: Dockyard unauthenticated cron endpoint lets start or stop containers via get requests without cross site request forgery protection.

Reporter	Title	Published	Views	Family All 7
ATTACKERKB	CVE-2026-39848	9 Apr 202621:44	–	attackerkb
CNNVD	Dockyard 访问控制错误漏洞	9 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-39848 Dockyard's Unauthenticated Cron Endpoint in Dockyard Enables Container Enumeration and Database Manipulation	9 Apr 202621:44	–	cvelist
EUVD	EUVD-2026-21210	9 Apr 202621:44	–	euvd
NVD	CVE-2026-39848	9 Apr 202622:16	–	nvd
Positive Technologies	PT-2026-31809	9 Apr 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-39848 Dockyard's Unauthenticated Cron Endpoint in Dockyard Enables Container Enumeration and Database Manipulation	9 Apr 202621:44	–	vulnrichment

Vulners

Node

10ij dockyardRange<1.1.0

[
  {
    "vendor": "10ij",
    "product": "dockyard",
    "versions": [
      {
        "version": "< 1.1.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/10ij/dockyard/security/advisories/GHSA-jrf6-3j4j-q36g

Parameter	Position	Path	Description	CWE
action	query param	/apps/action.php	GET request to /apps/action.php with action=start\|stop and container name enables CSRF-like manipulation to start/stop containers.	CWE-306
name	query param	/apps/action.php	GET request to /apps/action.php with action=start\|stop and container name enables CSRF-like manipulation to start/stop containers.	CWE-306
action	query param	/apps/action.php	GET request to /apps/action.php with action=start\|stop and container name enables CSRF-like manipulation to start/stop containers.	CWE-306
name	query param	/apps/action.php	GET request to /apps/action.php with action=start\|stop and container name enables CSRF-like manipulation to start/stop containers.	CWE-306

13 Apr 2026 15:02Current

6Medium risk

Vulners AI Score6

CVSS 3.16.5

EPSS0.00048

SSVC

CWE-306