Getarcaneapp Arcane vulnerabilities
9 known vulnerabilities affecting getarcaneapp/arcane.
Total CVEs
9
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH5MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-40242P3MEDIUMCVSS 6.5PoCfixed in 1.17.32026-04-10
CVE-2026-40242 [MEDIUM] CWE-918 CVE-2026-40242: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the ca
nvd
CVE-2026-45625P2CRITICALCVSS 9.9fixed in 1.19.02026-05-29
CVE-2026-45625 [CRITICAL] CWE-862 CVE-2026-45625: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints (list, create, get, update, de
nvd
CVE-2026-23944P2CRITICALCVSS 9.8fixed in 1.13.22026-01-19
CVE-2026-23944 [CRITICAL] CWE-306 CVE-2026-23944: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to versi
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/...` requests for remote envi
nvd
CVE-2026-47125P3HIGHCVSS 8.8fixed in 1.19.22026-05-29
CVE-2026-47125 [HIGH] CWE-862 CVE-2026-47125: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can c
nvd
CVE-2026-23520P3HIGHCVSS 8.0fixed in 1.13.02026-01-15
CVE-2026-23520 [HIGH] CWE-78 CVE-2026-23520: Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the upd
Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is
nvd
CVE-2026-47179P3HIGHCVSS 7.7fixed in 1.19.42026-05-29
CVE-2026-47179 [HIGH] CWE-22 CVE-2026-47179: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose con
nvd
CVE-2026-42461P3HIGHCVSS 7.5fixed in 1.18.02026-05-09
CVE-2026-42461 [HIGH] CWE-862 CVE-2026-42461: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to versi
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template st
nvd
CVE-2026-45626P3MEDIUMCVSS 6.3≤ 1.18.12026-05-29
CVE-2026-45626 [MEDIUM] CWE-78 CVE-2026-45626: Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and
Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-
nvd
CVE-2026-45627P3HIGHCVSS 8.2fixed in 1.19.02026-05-29
CVE-2026-45627 [HIGH] CWE-79 CVE-2026-45627: Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a element of the embedded logo.svg, allowing a
nvd