VYPR

Arcane

by Getarcaneapp

Source repositories

CVEs (10)

  • CVE-2026-45625CriMay 29, 2026
    risk 0.57cvss 9.9epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their…

  • CVE-2026-47125HigMay 29, 2026
    risk 0.50cvss 8.8epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is…

  • CVE-2026-45627HigMay 29, 2026
    risk 0.46cvss 8.2epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping.…

  • CVE-2026-47179HigMay 29, 2026
    risk 0.43cvss 7.7epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation…

  • CVE-2026-42461HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list…

  • CVE-2026-45626MedMay 29, 2026
    risk 0.41cvss 6.3epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper…

  • CVE-2026-40242HigApr 10, 2026
    risk 0.40cvss 7.2epss 0.01

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme…

  • CVE-2025-69031MedDec 30, 2025
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6.

  • CVE-2026-23944Jan 19, 2026
    risk 0.00cvss epss 0.00

    Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy…

  • CVE-2026-23520Jan 15, 2026
    risk 0.00cvss epss 0.02

    Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed…