Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint ref…

CVE-2026-45627 affects Arcane, a Docker container management interface, prior to version 1.19.0. The vulnerability exists in an unauthenticated GET endpoint /api/app-images/logo that reflects user-supplied color parameters into SVG documents without proper escaping. Attackers can inject executable JavaScript content by closing style blocks and inserting script tags. The lack of Content-Security-Policy and X-Content-Type-Options headers allows for cross-site scripting attacks. When a logged-in admin navigates to a crafted URL, the attacker can execute JavaScript in Arcane's origin and hijack HttpOnly JWT cookies to fully compromise admin accounts. The vulnerability is fixed in version 1.19.0.