Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint ref…

CVE-2026-45627 affects Arcane, a Docker container management interface, prior to version 1.19.0. The vulnerability exists in an unauthenticated GET endpoint /api/app-images/logo that reflects user-supplied color parameters into SVG documents without proper escaping. Attackers can inject executable JavaScript content by closing style blocks and adding script tags. The lack of Content-Security-Policy and X-Content-Type-Options headers allows for cross-site scripting attacks. When a logged-in admin visits a crafted URL, the attacker can execute JavaScript in Arcane's origin and hijack the victim's HttpOnly JWT cookie, leading to full admin account compromise. This vulnerability has been fixed in version 1.19.0.