Skip to main content
Regulatory Triage ICT Providers

Docker

Dev Platforms & CI/CD

Period: 7d 14d 30d 90d
243
Open CVEs
1
Exploited
1
KEV
39
Unpatched
12
No Workaround
199
Internet-facing

Why this provider is risky now

This provider has 243 open CVE(s) in the last 90 days. 1 listed in CISA KEV (known exploited). 39 have no vendor patch. 199 affect internet-facing services. 58 impact the management/identity plane.

1 KEV 1 Exploited 39 Unpatched 58 Mgmt / Admin Plane 15 Public PoC 12 No Workaround 199 Internet-facing

Top Risky CVEs

CVE-2026-39987
Act Now
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis.
Within 24 hours: Identify all Marimo deployments running version 0.20.4 or earlier using asset inventory and network discovery tools. Within 7 days: Upgrade all affected instances to Marimo 0.20.5 or later (vendor-released patch available). Temporarily disable or restrict network access to the `/terminal/ws` endpoint on affected systems if upgrade cannot be completed immediately. Within 30 days: Conduct application logs review for unauthorized WebSocket connections to `/terminal/ws` endpoint and verify no malicious commands were executed in historical access logs.
Edge exposure ICT dependency Active exploitation Management plane KEV PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • Third-party ICT: Docker
  • Exploited in the wild (CISA KEV)
  • Management plane (Missing Authentication for Critical Function)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • Known exploited vulnerability (KEV)
  • Authentication / access control weakness
9.3
CVSS
2.7%
EPSS
119
Priority
CVE-2026-33309
Act Now
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.
Within 24 hours: Disable the POST /api/v2/files/ endpoint or restrict access to trusted administrators only; audit recent file uploads for suspicious activity. Within 7 days: Implement WAF rules to block multipart requests with path traversal patterns (../, ..\, etc.) in Content-Disposition headers; segment the application server from sensitive systems. Within 30 days: Evaluate alternative file upload solutions; develop and test a patched version with storage-layer validation; plan controlled deployment once patch is available.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • Third-party ICT: Docker, Canonical / Ubuntu
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
9.9
CVSS
0.1%
EPSS
70
Priority
CVE-2026-32760
Act Now
Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. No patch is currently available.
Within 24 hours: disable self-registration (`signup = false`) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove `perm.admin = true` from default user permissions settings, implement mandatory approval workflows for administrator account creation, and conduct forensic analysis of access logs for unauthorized activity. Within 30 days: evaluate vendor patch availability, test patches in non-production environment, and establish monitoring to detect future unauthorized administrator account creation attempts.
ICT dependency Management plane PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: Docker, SUSE
  • Proof of concept available
  • Management plane (Improper Privilege Management)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • ICT provider: SUSE (Infrastructure & Virtualization)
  • Authentication / access control weakness
9.8
CVSS
0.0%
EPSS
69
Priority
CVE-2026-34205
Act Now
Unauthenticated network access to Home Assistant apps bypasses intended Docker isolation on Linux systems, exposing internal services to any device on the local network. Apps configured with host network mode inadvertently bind internal Docker bridge endpoints to the broader LAN without authentication controls, enabling unauthorized access with high confidentiality, integrity, and availability impact (CVSS 9.6). Vendor-released patch available in Home Assistant Supervisor 2026.03.02. No public exploit identified at time of analysis, though exploitation requires only adjacent network access with low attack complexity.
Within 24 hours: Identify all Home Assistant Supervisor instances running versions prior to 2026.03.02 using network asset inventory or configuration management tools. Within 7 days: Update all affected Supervisor instances to version 2026.03.02 or later via official vendor channels; verify Docker host network mode configurations post-patch and disable where not operationally required. Within 30 days: Audit network segmentation for all Home Assistant deployments; restrict Layer 2 access to Home Assistant Docker hosts using VLAN isolation or network access controls; document and test failover procedures for any automation dependent on Supervisor connectivity.
ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: Docker
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
9.6
CVSS
0.0%
EPSS
68
Priority
CVE-2026-33475
Act Now
An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. A proof-of-concept exploit exists demonstrating secret exfiltration via crafted branch names, enabling attackers to steal GITHUB_TOKEN credentials and potentially compromise the supply chain without any authentication required.
Within 24 hours: Identify all instances of langflow-ai:langflow versions prior to 1.9.0 in your CI/CD environments and development repositories; immediately revoke any GITHUB_TOKEN credentials that may have been exposed. Within 7 days: Upgrade all Langflow installations to version 1.9.0 or later and rotate all GitHub Actions secrets and access tokens. Within 30 days: Audit GitHub Actions workflow logs for suspicious branch names or pull request titles; implement branch name and PR title validation rules; conduct supply chain security assessment to identify any unauthorized changes to dependent repositories.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-74: Injection)
  • Third-party ICT: Docker
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
9.1
CVSS
0.1%
EPSS
66
Priority
CVE-2026-40242
This Week
Server-side request forgery in Arcane Docker management interface versions prior to 1.17.3 allows unauthenticated remote attackers to conduct SSRF attacks via the /api/templates/fetch endpoint. Attackers can supply arbitrary URLs through the url parameter, causing the server to perform HTTP GET requests without URL scheme or host validation, with responses returned directly to the caller. This enables reconnaissance of internal network resources, access to cloud metadata endpoints, and potential interaction with internal services from the server's network context. No public exploit identified at time of analysis.
Within 24 hours: Identify all Arcane Docker instances and document current versions via 'docker inspect' or management console. Within 7 days: Contact Arcane vendor for patch availability timeline and interim guidance; implement network-layer restrictions to the /api/templates/fetch endpoint (firewall rules, WAF blocks on that URI). Within 30 days: Upgrade to Arcane version 1.17.3 or later once released and validated in non-production; perform post-upgrade verification that the /api/templates/fetch endpoint validates and restricts URL schemes and hosts.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
  • Third-party ICT: Docker
  • Proof of concept available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
7.2
CVSS
0.0%
EPSS
56
Priority
CVE-2026-34156
Act Now
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated low-privilege attackers to escape Node.js vm sandbox and execute arbitrary commands as root inside Docker containers. The vulnerability exploits exposed WritableWorkerStdio stream objects in the sandbox console to traverse the prototype chain, access the host-realm Function constructor, load unrestricted Node.js modules (child_process), and spawn system commands. Confirmed exploited with reverse shell access, database credential theft (DB_PASSWORD, INIT_ROOT_PASSWORD), and arbitrary filesystem operations. EPSS data not available; public exploit code exists with detailed proof-of-concept demonstrating root shell access in nocobase/nocobase:latest Docker image. Critical 10.0 CVSS score reflects network-exploitable, low-complexity attack with complete confidentiality, integrity, and availability impact plus scope change (container escape implications).
Within 24 hours: Inventory all NocoBase deployments and identify instances with Workflow Script Node enabled; isolate affected systems from production networks if possible; disable the @nocobase/plugin-workflow-javascript plugin in all instances. Within 7 days: Implement network-level access controls restricting NocoBase to administrative users only; rotate all database credentials exposed in affected containers; audit workflow execution logs for suspicious activity. Within 30 days: Monitor vendor advisories for patch availability; evaluate migration to alternative workflow solutions or NocoBase versions with remediation; conduct forensic analysis of compromised instances for data exfiltration.
Edge exposure ICT dependency PoC Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: rce
  • Third-party ICT: Docker
  • Proof of concept available
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
9.9
CVSS
5.2%
EPSS
55
Priority
CVE-2026-32704
This Month
CVE-2026-32704 is a security vulnerability (CVSS 6.5). Risk factors: public PoC available.
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Edge exposure ICT dependency Management plane PoC Patched
Why flagged?
6.5
CVSS
0.0%
EPSS
53
Priority
CVE-2026-42298
Act Now
Unpatched
Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows an
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-94: Code Injection)
  • Third-party ICT: Docker
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • No remediation available
10.0
CVSS
0.1%
EPSS
50
Priority
CVE-2026-42869
Act Now
Authentication bypass in SOCFortress CoPilot versions prior to 0.1.57 allows remote unauthenticated attackers to forge admin-scoped JWT tokens and gain full control of the security operations platform. The application ships with a publicly known JWT signing secret hardcoded as a fallback value (bL4unrkoxtFs1MT6A7Ns2yMLkduyuqrkTxDV9CjlbNc=) in backend/app/auth/utils.py and .env.example. Any deployment using the default Docker Compose setup or where JWT_SECRET is not explicitly set signs all authentication tokens with this known value, enabling attackers to impersonate administrators and control every integrated security tool without credentials. CVSS 10.0 with network vector and no authentication required. Fix confirmed in version 0.1.57 via GitHub commit 4640511a0cf2e7b144a71375b5b349a8318cb186.
Within 24 hours: Identify all deployed instances of SOCFortress CoPilot and determine active versions (check docker image tags, git history, or version endpoint). Verify whether JWT_SECRET environment variable is explicitly configured in production (if unset, default hardcoded secret applies). Within 7 days: Upgrade all affected instances to SOCFortress CoPilot version 0.1.57 or later, following the vendor's upgrade documentation. Set a cryptographically strong JWT_SECRET value unique per environment and rotate all existing JWT tokens. Within 30 days: Audit access logs for the affected systems to identify unauthorized admin token usage or configuration changes during the vulnerability window; implement JWT signing secret rotation policy and enforce environment-variable configuration validation in deployment pipelines.
Edge exposure ICT dependency Management plane Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-287: Improper Authentication)
  • Third-party ICT: Docker
  • Management plane (Improper Authentication)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • Authentication / access control weakness
10.0
CVSS
0.1%
EPSS
50
Priority

By Exposure

Internet-facing
199
Mgmt / Admin Plane
58
Identity / Auth
41
Internal only
38

By Exploitability

Known exploited
1
Public PoC
15
High EPSS (>30%)
0
Remote unauthenticated
121
Local only
26

By Remediation

Patch available
204
No patch
39
Workaround available
172
No workaround
12

Affected Services / Product Families

Docker
243 CVE(s)
CVE-2026-30953 HIGH Unpatched
CVE-2026-30247 MEDIUM PoC Patched
CVE-2025-15558 HIGH Patched
CVE-2026-28479 HIGH Patched
CVE-2026-29093 HIGH Unpatched
CVE-2023-27573 CRITICAL Unpatched
CVE-2023-1289 MEDIUM Patched
CVE-2026-31886 CRITICAL Patched
CVE-2026-32598 MEDIUM Patched
CVE-2026-32704 MEDIUM PoC Patched
+ 233 more

Recommended Actions

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy