ROOT-APP-GOBINARY-CVE-2026-42306 CVE-2026-42306 in rootio-github.com/docker/docker - Patched by Root

Root has patched CVE-2026-42306 in the rootio-github.com/docker/docker package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-33997 CVE-2026-33997 in rootio-github.com/docker/docker - Patched by Root

Root has patched CVE-2026-33997 in the rootio-github.com/docker/docker package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-34040 CVE-2026-34040 in rootio-github.com/docker/docker - Patched by Root

Root has patched CVE-2026-34040 in the rootio-github.com/docker/docker package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-15558 CVE-2025-15558 in rootio-github.com/docker/cli - Patched by Root

Root has patched CVE-2025-15558 in the rootio-github.com/docker/cli package for Root:Go. Multiple fixed versions available...

EUVD-2026-37814

BBOT: Server-Side Request Forgery SSRF in dockerpull module via WWW-Authenticate realm parsing...

CVE-2026-12539

Docker Sandboxes sbx blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat...

CVE-2026-12039

Docker Sandboxes sbx enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution: the per-network embedded DNS server forwards any queried name to the host resolver whenever the network is internet-connected, without consulting the policy. A workload inside a sandbox, which t...

CVE-2026-12539

Docker Sandboxes (sbx) ICMP egress restriction can be bypassed after daemon restart. The issue arises because the authorizer is applied only at network creation and is not re-applied to networks rebuilt from disk on restart, allowing a restart-surviving sandbox to forward ICMP to arbitrary hosts....

CVE-2026-12539

Docker Sandboxes sbx blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat...

EUVD-2026-37893

Docker Sandboxes sbx blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat...

CVE-2026-12539 Docker Sandboxes ICMP egress restriction bypass after daemon restart

Docker Sandboxes sbx blocks ICMP egress with an authorizer applied only at network-creation time, and does not re-apply it to networks rebuilt from disk when the Docker daemon restarts, so a restart-surviving sandbox forwards ICMP to arbitrary hosts. A workload inside a sandbox, which the threat...

CVE-2026-12039

Docker Sandboxes (sbx) expose a DNS resolution bypass: the per-network embedded DNS server forwards queries to the host resolver when the network is internet-connected, ignoring the HTTP/S egress allowlist. This enables a workload treated as untrusted to encode data in DNS labels for an attacker-...

EUVD-2026-37892

Docker Sandboxes sbx enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution: the per-network embedded DNS server forwards any queried name to the host resolver whenever the network is internet-connected, without consulting the policy. A workload inside a sandbox, which t...

CVE-2026-12039 Docker Sandboxes network egress allowlist bypass via unfiltered DNS resolution

Docker Sandboxes sbx enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution: the per-network embedded DNS server forwards any queried name to the host resolver whenever the network is internet-connected, without consulting the policy. A workload inside a sandbox, which t...

Plone Docker - Host Header Injection

Plone Docker Official Image 5.2.13 5221 is vulnerable to Host Header Injection due to improper validation of input by the HOST headers. This can lead to Cross-Site Scripting XSS attacks when the malicious Host header value is reflected in the response. id: CVE-2024-23055 info: name: Plone Docker ...

H3C SSL VPN <=2022-07-10 - Cross-Site Scripting

H3C SSL VPN 2022-07-10 and prior contains a cookie-based cross-site scripting vulnerability in wnm/login/login.json svpnlang. id: CVE-2022-35416 info: name: H3C SSL VPN =2022-07-10 - Cross-Site Scripting author: 0x240x23elu severity: medium description: | H3C SSL VPN 2022-07-10 and prior contains...

CVE-2026-12566

The CVE describes a vulnerability in the docker_pull module where the realm parameter from a Docker registry’s WWW-Authenticate header is used as the authentication endpoint without validation. This enables a man-in-the-middle between bb ot and a Docker registry to alter the header and redirect t...

CVE-2026-12566 SSRF via unvalidated WWW-Authenticate realm in docker_pull module

The dockerpull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication reques...

Malicious code in scan-only (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a7779ff21d9783e1026e13a7abf65e448c5f3d3d111f3cae539f3690e53a2b4 The CLI binary at bin/scan-only.js, when invoked e.g., via npx scan-only --diagnose, harvests installer-side secrets and ships them to a hardcoded...

MAL-2026-6019 Malicious code in @mastra/docker (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dd2417620dd4f98c496cdb956e0e2cf1b55f25dcc57ad7a360f072acfa88ba9c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...