Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account.
Details
The route is registered in backend/internal/huma/handlers/appimages.go:53-61 with an explicitly empty security requirement, marking it as public:
huma.Register(api, huma.Operation{
OperationID: "get-logo",
Method: http.MethodGet,
Path: "/app-images/logo",
...
Security: []map[string][]string{}, // explicit: no auth
}, h.GetLogo)backend/internal/huma/middleware/auth.go:209-213 honors the empty Security value by returning reqs.isRequired == false and short-circuiting with next(ctx), so no JWT/API-key check runs.
GetLogoInput.Color (appimages.go:23) is declared with no validation tags:
type GetLogoInput struct {
Full bool `query:"full" default:"false" ...`
Color string `query:"color" doc:"Optional accent color override ..."`
}The handler passes the value straight through getImageWithColor → ApplicationImagesService.GetImageWithColor → applyAccentColorToSVG (backend/internal/services/app_images_service.go:79-105):
svgStr = strings.ReplaceAll(svgStr, "fill:#6D28D9", fmt.Sprintf("fill:%s", accentColor))
svgStr = strings.ReplaceAll(svgStr, "fill:#6d28d9", fmt.Sprintf("fill:%s", accentColor))The bundled backend/resources/images/logo.svg contains:
<style id="style1" type="text/css">.st0{fill:#6d28d9}</style>so a color value like red}</style><script>fetch('/api/users',...)</script><style>x{ produces a valid SVG that closes the <style> element and embeds a <script> element. The response Content-Type is image/svg+xml (from pkg/utils/image/image_util.go), and a grep of the backend confirms no Content-Security-Policy, X-Content-Type-Options, or framing headers are emitted on any route.
Browsers execute scripts in SVG documents loaded as top-level navigations or via <iframe src=…> / window.open(…). The execution context is origin(arcane-host), so the victim's __Host-token / token HttpOnly JWT cookie (recognized by extractTokenFromCookieHeaderInternal at auth.go:274-286) is automatically attached to subsequent same-origin fetch() calls. From there the attacker can invoke any privileged API the victim possesses - most damagingly POST /api/users to create a new admin account, after which the attacker has standalone admin access to manage Docker containers, registries, GitOps secrets, and SSH/registry credentials stored by Arcane.
Impact
- Same-origin script execution from an unauthenticated, reachable URL - only user interaction (clicking/visiting the crafted link) is required.
- Full session-riding against any authenticated user, including admins. Because Arcane manages Docker daemons, container exec, image registries, and GitOps repositories, an attacker who lands script execution as an admin victim can:
- Create persistent attacker-controlled admin accounts via
POST /api/users. - Read/modify secrets stored in environments, registries, and Git repositories the admin can access.
- Start or exec into containers on connected Docker hosts.
- HttpOnly cookies do not mitigate the issue - cookies are auto-attached to same-origin
fetch(). Absence of CSP andX-Content-Type-Options: nosniffremoves available defenses-in-depth.
Defense-in-depth - add to all responses (and especially to /api/app-images/*):
X-Content-Type-Options: nosniffContent-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:on the SVG image responses (or the most permissive policy compatible with the frontend on app routes).- Consider serving these images with
Content-Disposition: inlineand from a separate cookie-less origin to remove the same-origin session-riding primitive entirely.
Also enforce the same allowlist on the settings write path (SettingsService → AccentColor) so a stored XSS variant cannot be introduced via the settings API.
AnalysisAI
Unauthenticated reflected XSS in Arcane Backend's logo endpoint enables full admin account takeover. The vulnerability allows attackers to inject JavaScript into an SVG image response by manipulating the color parameter, which executes in the application's origin when visited by authenticated users. Fixed in version 1.19.0.
Technical ContextAI
Arcane Backend is a Go-based container management platform that provides Docker daemon control, registry management, and GitOps functionality. The vulnerability stems from unsafe string substitution in SVG processing where user-controlled input is inserted directly into a style element without escaping. The affected component (pkg:go/github.com_getarcaneapp_arcane_backend) serves SVG images with content-type image/svg+xml, and modern browsers execute JavaScript within SVG documents when loaded as top-level resources. The CWE-79 classification indicates improper neutralization of input during web page generation, a classic XSS pattern.
RemediationAI
Upgrade Arcane Backend to version 1.19.0 or later, which contains the fix for this vulnerability. Until upgrade is possible, implement these specific mitigations: configure a reverse proxy to add security headers including X-Content-Type-Options: nosniff and Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data: for all /api/app-images/* endpoints. Additionally, consider serving image endpoints from a separate subdomain without cookie access to prevent session riding. Monitor access logs for requests to /api/app-images/logo with suspicious color parameters containing script tags or style closures.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33371
GHSA-q2pj-8v84-9mh5