Regulatory Triage ICT Providers

Docker

Dev Platforms & CI/CD

Period: 7d 14d 30d 90d

113

Open CVEs

Exploited

KEV

Unpatched

No Workaround

Internet-facing

Why this provider is risky now

This provider has 113 open CVE(s) in the last 30 days. 15 have no vendor patch. 92 affect internet-facing services. 37 impact the management/identity plane.

15 Unpatched 37 Mgmt / Admin Plane 1 Public PoC 5 No Workaround 92 Internet-facing

Top Risky CVEs

CVE-2026-42298

Act Now

Unpatched

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows an

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-94: Code Injection)
• Third-party ICT: Docker
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• No remediation available

10.0

CVSS

0.1%

EPSS

Priority

CVE-2026-42869

Act Now

Authentication bypass in SOCFortress CoPilot versions prior to 0.1.57 allows remote unauthenticated attackers to forge admin-scoped JWT tokens and gain full control of the security operations platform. The application ships with a publicly known JWT signing secret hardcoded as a fallback value (bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=) in backend/app/auth/utils.py and .env.example. Any deployment using the default Docker Compose setup or where JWT_SECRET is not explicitly set signs all authentication tokens with this known value, enabling attackers to impersonate administrators and control every integrated security tool without credentials. CVSS 10.0 with network vector and no authentication required. Fix confirmed in version 0.1.57 via GitHub commit 4640511a0cf2e7b144a71375b5b349a8318cb186.

Within 24 hours: Identify all deployed instances of SOCFortress CoPilot and determine active versions (check docker image tags, git history, or version endpoint). Verify whether JWT_SECRET environment variable is explicitly configured in production (if unset, default hardcoded secret applies). Within 7 days: Upgrade all affected instances to SOCFortress CoPilot version 0.1.57 or later, following the vendor's upgrade documentation. Set a cryptographically strong JWT_SECRET value unique per environment and rotate all existing JWT tokens. Within 30 days: Audit access logs for the affected systems to identify unauthorized admin token usage or configuration changes during the vulnerability window; implement JWT signing secret rotation policy and enforce environment-variable configuration validation in deployment pipelines.

Edge exposure ICT dependency Management plane Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-287: Improper Authentication)
• Third-party ICT: Docker
• Management plane (Improper Authentication)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• Authentication / access control weakness

10.0

CVSS

0.1%

EPSS

Priority

CVE-2026-44329

Act Now

### Summary free5GC's SMF mounts the `UPI` management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit `UPI` endpoints with no

Edge exposure ICT dependency Management plane Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-306: Missing Authentication for Critical Function)
• Third-party ICT: Docker
• Management plane (Missing Authentication for Critical Function)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• Authentication / access control weakness

10.0

CVSS

0.0%

EPSS

Priority

CVE-2026-44327

Act Now

### Summary free5GC's NEF mounts the `nnef-oam` route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no `Authorizat

Edge exposure ICT dependency Management plane Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-306: Missing Authentication for Critical Function)
• Third-party ICT: Docker
• Management plane (Missing Authentication for Critical Function)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• Authentication / access control weakness

10.0

CVSS

0.0%

EPSS

Priority

CVE-2026-44330

Act Now

### Summary free5GC's NEF mounts the `nnef-pfdmanagement` route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary b

Edge exposure ICT dependency Management plane Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Docker
• Management plane (Incorrect Authorization)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• Authentication / access control weakness

10.0

CVSS

0.0%

EPSS

Priority

CVE-2026-46339

Act Now

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.

24 hours: Identify all applications in production and development using 9router versions 0.4.30-0.4.36; document systems exposed to untrusted networks; begin assessment of patching feasibility. 7 days: Check npm registry for patched version greater than 0.4.36 or evaluate alternative packages; if upgrade unavailable, implement network segmentation to restrict access to /api/cli-tools/* and /api/mcp/* endpoints; deploy Web Application Firewall rules if available. 30 days: Verify all vulnerable instances have been upgraded to patched version or replaced with secure alternative; audit application logs from past 30 days for exploitation patterns targeting the vulnerable endpoints.

Edge exposure ICT dependency Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-78: OS Command Injection)
• Third-party ICT: Docker
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)

10.0

CVSS

Priority

CVE-2026-46695

Act Now

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

24 hours: Audit all systems running Boxlite and document current versions; identify which deployments execute untrusted or AI-agent workloads. 7 days: Upgrade all Boxlite instances to version 0.9.0 or later; prioritize production AI-agent deployments. 30 days: Review host access logs and mount operations for evidence of exploitation; conduct threat assessment of any systems that executed untrusted code in vulnerable versions.

Edge exposure ICT dependency Management plane Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass, rce
• Third-party ICT: Docker
• Management plane (Improper Access Control)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• Authentication / access control weakness

10.0

CVSS

Priority

CVE-2026-42454

Act Now

Unpatched

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate th

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-78: OS Command Injection)
• Third-party ICT: Docker
• No patch available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• No remediation available

9.9

CVSS

0.1%

EPSS

Priority

CVE-2026-43948

Act Now

Complete account takeover in wger Python fitness management platform allows authenticated gym managers with no gym assignment (gym=None) to reset passwords of any other unaffiliated user and receive the new plaintext password in the HTTP response body. The vulnerability stems from a Django ORM authorization check that incorrectly evaluates None != None as False, bypassing the tenant isolation guard. Newly registered users default to gym=None state, making every public-registration wger deployment vulnerable. CVSS 9.9 Critical severity with scope change (cross-tenant impersonation). GitHub advisory GHSA-mhc8-p3jx-84mm confirms exploitation requires only low privilege (delegated gym.manage_gym permission) with no user interaction, enabling permanent victim lockout as original passwords are invalidated.

Within 24 hours: Identify all wger instances in your environment and audit current user roles for any gym manager accounts; disable public registration if operationally feasible. Within 7 days: Monitor authentication logs for suspicious password reset activity targeting unaffiliated users and review gym manager role assignments for unauthorized accounts. Within 30 days: Implement network segmentation to restrict gym manager access to assigned tenants only; apply vendor patch immediately upon release and verify remediation in staging before production deployment.

Edge exposure ICT dependency Management plane Patched

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Docker
• Management plane (Incorrect Authorization)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• Authentication / access control weakness

9.9

CVSS

0.0%

EPSS

Priority

CVE-2026-45663

Act Now

Unpatched

Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.

Within 24 hours: Enumerate all Dokploy deployments running 0.29.1 or earlier; restrict file upload feature access to a minimal set of trusted administrators; enable comprehensive audit logging on all file upload operations. Within 7 days: Review upload logs for suspicious destinationPath patterns; implement network segmentation separating Dokploy infrastructure from production workloads and credential stores. Within 30 days: Establish continuous monitoring of GHSA advisory for patch release; develop tested migration plan to patched versions; deploy host-based endpoint detection and response (EDR) as interim control on all Dokploy systems.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-77: Command Injection)
• Third-party ICT: Docker
• No patch available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Docker (Dev Platforms & CI/CD)
• No remediation available

9.9

CVSS

0.2%

EPSS

Priority

By Exposure

Internet-facing

Mgmt / Admin Plane

Identity / Auth

Internal only

By Exploitability

Known exploited

Public PoC

High EPSS (>30%)

Remote unauthenticated

Local only

By Remediation

Patch available

No patch

Workaround available

No workaround

Affected Services / Product Families

Docker

113 CVE(s)

CVE-2026-42088 CRITICAL Patched

CVE-2026-41181 MEDIUM Patched

CVE-2026-40893 HIGH Patched

CVE-2026-42238 CRITICAL Patched

CVE-2026-41888 MEDIUM Patched

CVE-2026-42606 HIGH Patched

CVE-2026-42264 HIGH Patched

CVE-2026-42856 HIGH Patched

CVE-2026-42600 MEDIUM Patched

CVE-2026-42260 HIGH Patched

+ 103 more

Recommended Actions

Evaluate compensating controls for 5 unpatched CVE(s) with no workaround Review WAF/firewall rules for 92 internet-facing CVE(s) Audit authentication and access control for 37 management-plane CVE(s) Track Docker vendor advisories for remediation timeline