top of page
perceptive_background_267k.jpg

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint ref…

Published:

28 May 2026 at 22:00:00

Alert date:

29 May 2026 at 21:09:42

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Cloud & Virtualization

CVE-2026-45627 affects Arcane, a Docker container management interface, prior to version 1.19.0. The vulnerability exists in an unauthenticated GET endpoint /api/app-images/logo that reflects user-supplied color parameters into SVG documents without proper escaping. Attackers can inject executable JavaScript content by closing style blocks and inserting script tags. The lack of Content-Security-Policy and X-Content-Type-Options headers allows for cross-site scripting attacks. When a logged-in admin navigates to a crafted URL, the attacker can execute JavaScript in Arcane's origin and hijack HttpOnly JWT cookies to fully compromise admin accounts. The vulnerability is fixed in version 1.19.0.

Technical details

Mitigation steps:

Affected products:

Arcane

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-45627
https://github.com/getarcaneapp/arcane/security/advisories/GHSA-q2pj-8v84-9mh5

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page