2 matches found
CVE-2026-42461
Arcane (Huma backend) has an unauthenticated information disclosure vulnerability prior to version 1.18.0. Four GET endpoints under /api/templates* (list, all, specific, and content) were registered without any Security requirement, enabling unauthenticated network clients to read full Compose YA...
CVE-2026-40242
Arcane (Docker management interface) is affected by an unauthenticated SSRF in the /api/templates/fetch endpoint prior to 1.17.3. The endpoint accepts a caller-supplied url and performs an HTTP GET without authentication and without URL scheme/host validation, returning the response to the caller...