arcane 安全漏洞

Arcane is an open-source Docker management software developed by Arcane. Versions of Arcane prior to 1.18.0 contained security vulnerabilities. These vulnerabilities stemmed from four GET endpoints under/api/templates, which did not have security requirements set up. This could allow any...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: docker (UTSA-2026-017330)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017330 advisory. moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that ca...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: docker (UTSA-2026-017338)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017338 advisory. Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: docker (UTSA-2026-017329)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017329 advisory. moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in...

MAL-2026-3647 Malicious code in haswons (npm)

haswons is a typosquatting package impersonating hasown, the utility for checking whether an object has a direct own property. The package bundles the legitimate hasown source to appear functional while hiding a credential-theft payload in index1.js, executed at install time via the postinstall...

CVE-2026-42298

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow .github/workflows/pr-docker-build.yml allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a...

GHSA-3258-QMV8-FRP3 free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers

Summary free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab...

CVE-2026-42454 Termix: OS Command Injection in Docker Container Management Endpoints

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands execute...

CVE-2026-42454

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands execute...

CVE-2026-42454 Termix: OS Command Injection in Docker Container Management Endpoints

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands execute...

CVE-2026-42454

Termix (web-based server management platform) prior to version 2.1.0 is vulnerable. Docker container management endpoints interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec(), without sanitization. An authenticated...

free5GC's NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions

Summary free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token e.g. Authorization: Bearer...

CVE-2026-42298 Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow .github/workflows/pr-docker-build.yml allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a...

EUVD-2026-28849

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow .github/workflows/pr-docker-build.yml allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a...

CVE-2026-42298

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow .github/workflows/pr-docker-build.yml allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a...

CVE-2026-41930

Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to...

@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry

Docker registry auth substring match forwards credentials to a different registry Repository cdxgen/cdxgen Affected product/package - Ecosystem: npm - Package: @cyclonedx/cdxgen - Reviewed tree version: 12.3.3 - Reviewed commit: b1e179869fd7c6032c3d483c3f7bd4d7154ec22b - Affected file:...

GHSA-QHH4-458H-XWH2 @cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry

Docker registry auth substring match forwards credentials to a different registry Repository cdxgen/cdxgen Affected product/package - Ecosystem: npm - Package: @cyclonedx/cdxgen - Reviewed tree version: 12.3.3 - Reviewed commit: b1e179869fd7c6032c3d483c3f7bd4d7154ec22b - Affected file:...

Exploit for CVE-2026-3844

CVE-2026-3844 — Breeze Cache Unauthenticated Arbitrary File Up...

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

A previously undocumented Linux implant codenamed Quasar Linux RAT QLNX is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and...