131
Open CVEs
0
Exploited
0
KEV
37
Unpatched
6
No Workaround
102
Internet-facing
Why this provider is risky now
This provider has 131 open CVE(s) in the last 90 days. 37 have no vendor patch. 102 affect internet-facing services. 25 impact the management/identity plane.
37 Unpatched
25 Mgmt / Admin Plane
15 Public PoC
6 No Workaround
102 Internet-facing
Top Risky CVEs
CVE-2026-24841
Act Now
Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands on the host.
Within 24 hours: Identify all Dokploy deployments and their versions; isolate affected instances from production networks if upgrade cannot be completed immediately. Within 7 days: Upgrade all Dokploy instances to version 0.26.6 or later; verify patch application and restart services. Within 30 days: Conduct forensic analysis of affected systems for unauthorized access or command execution; review access logs and audit trails for exploitation attempts; implement network monitoring for WebSocket endpoint anomalies.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-78: OS Command Injection)
- • Third-party ICT: Docker
- • Proof of concept available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
9.9
CVSS
0.1%
EPSS
70
Priority
CVE-2026-33309
Act Now
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.
Within 24 hours: Disable the POST /api/v2/files/ endpoint or restrict access to trusted administrators only; audit recent file uploads for suspicious activity. Within 7 days: Implement WAF rules to block multipart requests with path traversal patterns (../, ..\, etc.) in Content-Disposition headers; segment the application server from sensitive systems. Within 30 days: Evaluate alternative file upload solutions; develop and test a patched version with storage-layer validation; plan controlled deployment once patch is available.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-22: Path Traversal)
- • Third-party ICT: Docker, Canonical / Ubuntu
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: Canonical / Ubuntu (Infrastructure & Virtualization)
9.9
CVSS
0.1%
EPSS
70
Priority
CVE-2026-24740
Act Now
Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope and obtain an interactive root shell on out-of-scope containers. PoC available, patch in v9.0.3.
Within 24 hours: Identify all systems running Dozzle and assess their exposure to untrusted networks; isolate or restrict network access to affected instances if patching cannot be completed immediately. Within 7 days: Apply the available vendor patch to all Dozzle installations and verify successful deployment. Within 30 days: Conduct a log review to determine if the vulnerability was exploited during the exposure window and implement network segmentation to restrict Dozzle access to authorized administrative users only.
ICT dependency
Management plane
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Docker, SUSE
- • Proof of concept available
- • Management plane (Improper Access Control)
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • ICT provider: SUSE (Infrastructure & Virtualization)
- • Authentication / access control weakness
9.9
CVSS
0.0%
EPSS
70
Priority
CVE-2026-32760
Act Now
Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. No patch is currently available.
Within 24 hours: disable self-registration (`signup = false`) immediately and audit all user accounts created since deployment for unauthorized administrators. Within 7 days: review and remove `perm.admin = true` from default user permissions settings, implement mandatory approval workflows for administrator account creation, and conduct forensic analysis of access logs for unauthorized activity. Within 30 days: evaluate vendor patch availability, test patches in non-production environment, and establish monitoring to detect future unauthorized administrator account creation attempts.
ICT dependency
Management plane
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Docker
- • Proof of concept available
- • Management plane (Improper Privilege Management)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • Authentication / access control weakness
9.8
CVSS
0.0%
EPSS
69
Priority
CVE-2026-34205
Act Now
Unauthenticated network access to Home Assistant apps bypasses intended Docker isolation on Linux systems, exposing internal services to any device on the local network. Apps configured with host network mode inadvertently bind internal Docker bridge endpoints to the broader LAN without authentication controls, enabling unauthorized access with high confidentiality, integrity, and availability impact (CVSS 9.6). Vendor-released patch available in Home Assistant Supervisor 2026.03.02. No public exploit identified at time of analysis, though exploitation requires only adjacent network access with low attack complexity.
Within 24 hours: Identify all Home Assistant Supervisor instances running versions prior to 2026.03.02 using network asset inventory or configuration management tools. Within 7 days: Update all affected Supervisor instances to version 2026.03.02 or later via official vendor channels; verify Docker host network mode configurations post-patch and disable where not operationally required. Within 30 days: Audit network segmentation for all Home Assistant deployments; restrict Layer 2 access to Home Assistant Docker hosts using VLAN isolation or network access controls; document and test failover procedures for any automation dependent on Supervisor connectivity.
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: Docker
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
9.6
CVSS
0.0%
EPSS
68
Priority
CVE-2026-33475
Act Now
An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. A proof-of-concept exploit exists demonstrating secret exfiltration via crafted branch names, enabling attackers to steal GITHUB_TOKEN credentials and potentially compromise the supply chain without any authentication required.
Within 24 hours: Identify all instances of langflow-ai:langflow versions prior to 1.9.0 in your CI/CD environments and development repositories; immediately revoke any GITHUB_TOKEN credentials that may have been exposed. Within 7 days: Upgrade all Langflow installations to version 1.9.0 or later and rotate all GitHub Actions secrets and access tokens. Within 30 days: Audit GitHub Actions workflow logs for suspicious branch names or pull request titles; implement branch name and PR title validation rules; conduct supply chain security assessment to identify any unauthorized changes to dependent repositories.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-74: Injection)
- • Third-party ICT: Docker
- • Proof of concept available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
9.1
CVSS
0.1%
EPSS
66
Priority
CVE-2026-0863
This Week
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-95: Eval Injection)
- • Third-party ICT: Docker
- • Proof of concept available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
8.5
CVSS
0.0%
EPSS
63
Priority
CVE-2026-23846
This Week
Tugtainer versions before 1.16.1 transmit authentication credentials through URL query parameters rather than request bodies, causing passwords to be exposed in server logs, browser history, and proxy logs. This exposure allows attackers with access to these logs or cached data to obtain valid credentials for the Docker container management system. Public exploit code exists for this vulnerability, and a patch is available in version 1.16.1.
Within 7 days: Identify all affected systems running versions and apply vendor patches promptly. Vendor patch is available.
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Third-party ICT: Docker
- • Proof of concept available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
8.1
CVSS
0.1%
EPSS
61
Priority
CVE-2026-24129
This Week
Runtipi versions 3.7.0 through 4.6.x suffer from arbitrary command execution when authenticated users upload backups with malicious filenames containing shell metacharacters, which the BackupManager fails to sanitize before executing restore operations. An attacker with valid credentials can craft a backup filename like $(id).tar.gz to achieve remote code execution on the host server with the privileges of the Runtipi process. Public exploit code exists for this vulnerability, and patches are available in version 4.7.0 and later.
Within 24 hours: Identify all systems running Runtipi 3.7.0+ and restrict backup functionality access to trusted administrators only. Within 7 days: Apply the available vendor patch to all affected Runtipi instances and validate successful deployment. Within 30 days: Conduct audit of recent backup activities for suspicious filenames, review user access logs for unauthorized activity, and implement principle of least privilege for Runtipi user roles.
Edge exposure
ICT dependency
PoC
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-78: OS Command Injection)
- • Third-party ICT: Docker
- • Proof of concept available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
8.0
CVSS
0.1%
EPSS
60
Priority
Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. Public exploit code exists and no patch is currently available.
Within 24 hours: Identify all systems running Runtipi versions 4.5.0-4.7.1 and isolate them from untrusted networks if possible; implement WAF rules to block requests to the vulnerable UserConfigController endpoint. Within 7 days: Upgrade to Runtipi version 4.7.2 or later if available, or disable the UserConfigController feature entirely. Within 30 days: Conduct a full security audit of affected systems to detect any unauthorized docker-compose.yml modifications and verify system integrity.
Edge exposure
ICT dependency
No patch available
PoC
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • Third-party ICT: Docker
- • Proof of concept available
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • HIGH severity
- • ICT provider: Docker (Dev Platforms & CI/CD)
- • No remediation available
7.6
CVSS
0.1%
EPSS
58
Priority
By Exposure
Internet-facing
102
Mgmt / Admin Plane
25
Identity / Auth
14
Internal only
19
By Exploitability
Known exploited
0
Public PoC
15
High EPSS (>30%)
0
Remote unauthenticated
57
Local only
18
By Remediation
Patch available
94
No patch
37
Workaround available
113
No workaround
6
Affected Services / Product Families
Docker
131 CVE(s)
+ 121 more