Regulatory Triage ICT Providers

Docker

Dev Platforms & CI/CD

Period: 7d 14d 30d 90d
9
Open CVEs
0
Exploited
0
KEV
2
Unpatched
0
No Workaround
8
Internet-facing

Why this provider is risky now

This provider has 9 open CVE(s) in the last 7 days. 2 have no vendor patch. 8 affect internet-facing services. 2 impact the management/identity plane.

2 Unpatched 2 Mgmt / Admin Plane 8 Internet-facing

Top Risky CVEs

CVE-2026-39842
Act Now
Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c
Within 24 hours: Inventory all OpenRemote deployments and document current versions; restrict write:rules role to only trusted superuser accounts and disable rules engine if possible. Within 7 days: Test upgrade path to OpenRemote 1.20.3 or later in a non-production environment; implement network segmentation to limit rules engine access. Within 30 days: Complete upgrade of all production OpenRemote instances to version 1.20.3 or later; audit logs for any rules created by non-superuser accounts since deployment; validate tenant isolation is functioning post-patch.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Third-party ICT: Docker, PostgreSQL, Apple
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • ICT provider: PostgreSQL (Databases & Data Platforms)
  • ICT provider: Apple (Operating Systems)
10.0
CVSS
0.1%
EPSS
50
Priority
CVE-2026-40089
Act Now
Unpatched
Server-Side Request Forgery in Sonicverse Radio Audio Streaming Stack dashboard API client allows authenticated operators to perform arbitrary HTTP requests from the backend server to internal or external targets. Affects Docker Compose deployments installed via the provided install.sh script, including one-liner installations. Attacker can exploit insufficient URL validation in apps/dashboard/lib/api.ts to access internal services, exfiltrate sensitive data from cloud metadata endpoints, or pivot to restricted network segments. CVSS 9.9 critical severity with changed scope indicates potential for significant cross-boundary impact. No public exploit identified at time of analysis.
Within 24 hours: Identify all Sonicverse Radio deployments using Docker Compose with the standard install.sh script and restrict network access to the dashboard API to trusted operators only via firewall/WAF rules. Within 7 days: Implement compensating controls-isolate affected Docker containers from access to internal services, cloud metadata endpoints (169.254.169.254), and inter-service communication; audit logs for suspicious HTTP requests originating from dashboard API. Within 30 days: Monitor Sonicverse Radio vendor advisories for patch release; prepare upgrade plan to patched version immediately upon availability; consider alternative audio streaming solutions if patch timeline becomes unacceptable for your risk tolerance.
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • Third-party ICT: Docker
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • No remediation available
9.9
CVSS
0.0%
EPSS
50
Priority
CVE-2026-40313
Act Now
GitHub Actions credential leakage in PraisonAI through ArtiPACKED attack exposes GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN in workflow artifacts. Versions 4.5.139 and below persist credentials in .git/config via actions/checkout without disabling persist-credentials, allowing any user with read access to public repository artifacts to extract tokens and compromise the supply chain. CVSS 9.1 (Critical) with network-accessible, unauthenticated attack vector. EPSS data not provided; no confirmed active exploitation (KEV status not indicated), but attack technique is publicly documented by Palo Alto Unit42 and widely reported. Vendor-released patch available in version 4.5.140.
Within 24 hours: Audit all PraisonAI deployments and identify instances running version 4.5.139 or below; immediately rotate all GitHub tokens and Actions runtime tokens. Within 7 days: upgrade all affected PraisonAI instances to version 4.5.140 or later and verify persist-credentials is disabled in actions/checkout configurations. Within 30 days: implement credential scanning in CI/CD pipelines, audit artifact retention policies, and review access logs for unauthorized token extraction from public repositories.
ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: Docker
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
9.1
CVSS
0.0%
EPSS
46
Priority
CVE-2026-40258
Act Now
Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.
Within 24 hours: Identify all gramps-web-api instances in production and document their deployment architecture (SQLite vs. Postgres, storage backend). Within 7 days: Apply the vendor-released patch to all instances; prioritize systems using SQLite multi-tree or volume-mounted configurations. Within 30 days: Restrict media archive import functionality to trusted sources and implement file integrity monitoring on configuration directories; audit recent archive imports for unauthorized file modifications.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • Third-party ICT: Docker, PostgreSQL
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • ICT provider: PostgreSQL (Databases & Data Platforms)
9.1
CVSS
46
Priority
CVE-2026-35582
This Week
OS command injection in NSA Emissary document processing framework allows local place configuration authors to execute arbitrary shell commands with JVM privileges. The Executrix.getCommand() method concatenates IN_FILE_ENDING and OUT_FILE_ENDING configuration values directly into /bin/sh -c command strings without escaping or validation. Attackers with place configuration write access (developers, operators, or anyone compromising a cluster node) can inject shell metacharacters (backticks, comm
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Third-party ICT: Docker
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
8.8
CVSS
44
Priority
CVE-2026-28291
This Week
Command injection in simple-git npm package versions ≤3.28.0 enables arbitrary code execution via crafted Git options. Attackers who control Git command options can bypass the allowUnsafePack safety restriction using malformed variations of the -u flag (e.g., -vu, -4u, --u) to execute shell commands on Linux systems. This vulnerability stems from an incomplete fix for CVE-2022-25860, with proof-of-concept code publicly available demonstrating file creation via touch command. EPSS data not provid
Within 24 hours: Inventory all applications and build pipelines using simple-git ≤3.28.0 via npm audit and dependency scanning tools; isolate affected systems from untrusted input sources. Within 7 days: Monitor vendor (GitHub simple-git repository) for patch release and test in non-production; implement input validation on all Git command parameters as interim control. Within 30 days: Upgrade to patched version once released by vendor; validate remediation via regression testing on affected CI/CD and automation workflows.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Third-party ICT: Docker
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
8.1
CVSS
0.1%
EPSS
41
Priority
CVE-2026-40474
This Week
Unpatched
Authenticated low-privileged users in wger can modify installation-wide gym configuration via /config/gym-config/edit due to missing permission enforcement, enabling vertical privilege escalation. The GymConfigUpdateView declares 'config.change_gymconfig' permission but inherits WgerFormMixin instead of WgerPermissionMixin, causing the permission check to never execute. Exploiting this allows attackers to manipulate default gym assignments affecting all users, with GymConfig.save() automatically reassigning user profiles and creating gym configurations tenant-wide. CVSS 7.6 (High) with network attack vector, low complexity, and low privileges required. No active exploitation (KEV) or public POC identified at time of analysis, though GitHub advisory provides detailed reproduction steps.
Within 24 hours: Identify all wger installations in your environment and document current versions. Restrict access to /config/gym-config/edit to administrative accounts only via reverse proxy or firewall rules. Within 7 days: Audit GymConfig modification logs for unauthorized changes; review low-privileged user account activity targeting gym configuration endpoints. Within 30 days: Monitor vendor releases for patched wger version and plan immediate deployment; if patch becomes available before 30 days, prioritize deployment within 72 hours of release.
Edge exposure ICT dependency No patch available Management plane
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Docker
  • No patch available
  • Management plane (Improper Access Control)
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • HIGH severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • No remediation available
  • Authentication / access control weakness
7.6
CVSS
38
Priority
CVE-2026-40242
This Week
Server-side request forgery in Arcane Docker management interface versions prior to 1.17.3 allows unauthenticated remote attackers to conduct SSRF attacks via the /api/templates/fetch endpoint. Attackers can supply arbitrary URLs through the url parameter, causing the server to perform HTTP GET requests without URL scheme or host validation, with responses returned directly to the caller. This enables reconnaissance of internal network resources, access to cloud metadata endpoints, and potential interaction with internal services from the server's network context. No public exploit identified at time of analysis.
Within 24 hours: Identify all Arcane Docker instances and document current versions via 'docker inspect' or management console. Within 7 days: Contact Arcane vendor for patch availability timeline and interim guidance; implement network-layer restrictions to the /api/templates/fetch endpoint (firewall rules, WAF blocks on that URI). Within 30 days: Upgrade to Arcane version 1.17.3 or later once released and validated in non-production; perform post-upgrade verification that the /api/templates/fetch endpoint validates and restricts URL schemes and hosts.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • Third-party ICT: Docker
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
7.2
CVSS
0.0%
EPSS
36
Priority
CVE-2026-39848
This Month
CSRF vulnerability in Dockyard prior to 1.1.0 allows unauthenticated remote attackers to start or stop Docker containers by tricking a logged-in administrator into clicking a malicious link, since container control endpoints accept GET requests without CSRF token validation. An attacker can disrupt service availability or trigger unintended container state changes without authentication credentials. No active exploitation or public exploit code has been confirmed.
Edge exposure ICT dependency Management plane Patched
Why flagged?
6.5
CVSS
0.0%
EPSS
33
Priority

By Exposure

Internet-facing
8
Mgmt / Admin Plane
2
Identity / Auth
1
Internal only
1

By Exploitability

Known exploited
0
Public PoC
0
High EPSS (>30%)
0
Remote unauthenticated
4
Local only
1

By Remediation

Patch available
7
No patch
2
Workaround available
7
No workaround
0

Affected Services / Product Families

Docker
9 CVE(s)
CVE-2026-40089 CRITICAL Unpatched
CVE-2026-39848 MEDIUM Patched
CVE-2026-40242 HIGH Patched
CVE-2026-40258 CRITICAL Patched
CVE-2026-35582 HIGH Patched
CVE-2026-28291 HIGH Patched
CVE-2026-40313 CRITICAL Patched
CVE-2026-39842 CRITICAL Patched
CVE-2026-40474 HIGH Unpatched

Recommended Actions

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy