Lucene search
+L

97 matches found

attackerkb
attackerkb
added 2026/05/29 5:8 p.m.7 views

CVE-2026-45627

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS5.8AI score0.00185EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/05/29 5:8 p.m.44 views

CVE-2026-45627 Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS0.00185EPSS
Exploits0References1
euvd
euvd
added 2026/05/29 5:8 p.m.15 views

EUVD-2026-33371

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS5.8AI score0.00185EPSS
Exploits0References1
cve
cve
added 2026/05/29 5:8 p.m.22 views

CVE-2026-45627

CVE-2026-45627 describes an unauthenticated reflected XSS in Arcane via the GET /api/app-images/logo endpoint, where a user-supplied color parameter is injected into an SVG block without escaping. The resulting SVG is served as image/svg+xml with no CSP or X-Content-Type-Options headers, enablin...

8.2CVSS5.8AI score0.00185EPSS
Exploits0References1
osv
osv
added 2026/05/29 5:8 p.m.4 views

CVE-2026-45627 Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...

8.2CVSS6AI score0.00185EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/05/29 5:7 p.m.8 views

CVE-2026-47125

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin...

8.8CVSS5.8AI score0.00245EPSS
Exploits0References2Affected Software1
vulnrichment
vulnrichment
added 2026/05/29 5:7 p.m.10 views

CVE-2026-47125 Arcane: Missing admin authorization on global variables endpoint

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin...

8.8CVSS5.8AI score0.00245EPSS
Exploits0References1
cvelist
cvelist
added 2026/05/29 5:7 p.m.38 views

CVE-2026-47125 Arcane: Missing admin authorization on global variables endpoint

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin...

8.8CVSS0.00245EPSS
Exploits0References1
euvd
euvd
added 2026/05/29 5:7 p.m.13 views

EUVD-2026-33370

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin...

8.8CVSS5.8AI score0.00245EPSS
Exploits0References1
cve
cve
added 2026/05/29 5:7 p.m.29 views

CVE-2026-47125

CVE-2026-47125 — Arcane global variables endpoint lacks admin authorization Affected: Arcane interface for Docker management (before 1.19.2) via PUT /api/environments/{id}/templates/variables that writes the system-wide .env.global. Root cause: missing admin check in the UpdateGlobalVariables han...

8.8CVSS5.8AI score0.00245EPSS
Exploits0References1
osv
osv
added 2026/05/29 5:7 p.m.2 views

CVE-2026-47125 Arcane: Missing admin authorization on global variables endpoint

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin...

8.8CVSS6AI score0.00245EPSS
Exploits0References3
cvelist
cvelist
added 2026/05/29 5:6 p.m.38 views

CVE-2026-47179 Arcane: Authenticated Arbitrary Host File Read via Docker Compose Include Directives in Arcane

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because...

7.7CVSS0.00307EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2026/05/29 5:6 p.m.11 views

CVE-2026-47179 Arcane: Authenticated Arbitrary Host File Read via Docker Compose Include Directives in Arcane

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because...

7.7CVSS6AI score0.00307EPSS
Exploits0References2
euvd
euvd
added 2026/05/29 5:6 p.m.14 views

EUVD-2026-33369

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because...

7.7CVSS6AI score0.00307EPSS
Exploits0References2
osv
osv
added 2026/05/29 5:6 p.m.3 views

CVE-2026-47179 Arcane: Authenticated Arbitrary Host File Read via Docker Compose Include Directives in Arcane

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because...

7.7CVSS6.1AI score0.00307EPSS
Exploits0References4
cve
cve
added 2026/05/29 5:6 p.m.34 views

CVE-2026-47179

Summary: Arcane exposes an authenticated arbitrary host-file read via Docker Compose include directives. Prior to version 1.19.4, GetProjectFileContent could read any include file declared in a project’s compose file, even outside the project, because CreateProject bypassed include-path validatio...

7.7CVSS6AI score0.00307EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/05/29 5:6 p.m.15 views

CVE-2026-47179

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because...

7.7CVSS6AI score0.00307EPSS
Exploits0References3Affected Software1
cnnvd
cnnvd
added 2026/05/29 12:0 a.m.16 views

arcane 操作系统命令注入漏洞

Arcane is an open-source Docker management software developed by Arcane. Versions of Arcane 1.18.1 and earlier contain a vulnerability related to operating system command injection. This vulnerability stems from the path cleaner in the GET /environments/id/volumes/volumeName/browse endpoint not...

6.3CVSS6.1AI score0.0021EPSS
Exploits0References1
cnnvd
cnnvd
added 2026/05/29 12:0 a.m.10 views

arcane 路径遍历漏洞

Arcane is an open-source Docker management software developed by Arcane. Versions of Arcane prior to 1.19.4 contained a path traversal vulnerability. This vulnerability stemmed from ProjectService.GetProjectFileContent returning Docker Compose containing instructions before performing path...

7.7CVSS5.9AI score0.00307EPSS
Exploits0References2
cnnvd
cnnvd
added 2026/05/29 12:0 a.m.10 views

arcane 安全漏洞

Arcan is an open-source Docker management software developed by Arcane. Versions of Arcan prior to 1.19.0 contained security vulnerabilities. These vulnerabilities stemmed from multiple endpoints in the Huma-based REST API that did not call the checkAdmin helper function. Additionally, the...

9.9CVSS5.8AI score0.00387EPSS
Exploits0References2
Rows per page
Query Builder