Skip to main content

Docker

813 CVEs product

Monthly

CVE-2026-54493 HIGH POC PATCH GHSA This Week

{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.

Docker SSRF PHP
NVD GitHub
CVSS 3.1
7.7
CVE-2026-54492 MEDIUM POC PATCH GHSA This Month

Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.

Docker SSRF PHP
NVD GitHub
CVSS 3.1
4.3
CVE-2026-50562 CRITICAL Act Now

GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request to smuggle attacker-controlled Docker images into privileged CI/CD pipelines. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted PR code in the preview-docs-build and preview-fastgpt-build workflows are consumed by privileged workflow_run jobs, letting a malicious image be pushed to GHCR and, for documentation previews, deployed to a Kubernetes cluster using the secrets.KUBE_CONFIG_CN credential. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is trivially reachable by any contributor.

Docker Information Disclosure Fastgpt
NVD GitHub
CVSS 4.0
9.3
CVE-2026-54446 PyPI HIGH POC PATCH GHSA This Week

Unauthenticated abuse of the operator's NetLicensing credential affects Labs64 netlicensing-mcp (FastMCP server) versions <= 0.1.5 when run in HTTP transport mode. The ApiKeyMiddleware forwards requests that carry no client API key straight to the tool handlers, and the downstream client falls back to the server-side NETLICENSING_API_KEY environment variable, so any network-reachable attacker can invoke every MCP tool (list/create/update/delete of products, licenses, licensees, tokens) under the operator's identity and account quota. Publicly available exploit code exists (a self-contained Docker/Python PoC in the advisory), no public active exploitation is confirmed, and the issue is fixed in 0.1.6.

Docker Authentication Bypass Python
NVD GitHub
CVSS 3.1
8.1
CVE-2026-50158 Go HIGH PATCH GHSA This Week

Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in `caption-download` MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable `Caption.Download()` calls `os.Create()` on the caller-supplied `file` parameter, bypassing the `YUTU_ROOT` (`pkg.Root`/`os.OpenRoot`) confinement that every other caption write path enforces. Publicly available exploit code exists (a self-contained Docker PoC ships with the advisory); the flaw is not in CISA KEV and no active exploitation is reported, and the vendor has released a fixed version (0.10.9-dev1).

Denial Of Service Debian Python Docker RCE
NVD GitHub
CVSS 3.1
7.7
CVE-2026-54052 npm CRITICAL PATCH GHSA Act Now

Cross-tenant data exposure in n8n-mcp (npm package, <= 2.56.0) lets an authenticated tenant on a shared multi-tenant HTTP instance read, delete, and destroy the automatic workflow version backups belonging to other tenants. Because each snapshot embeds full node definitions, the leaked data can include credential references and authorization headers, making this both a confidentiality and an integrity/availability failure. Rated CVSS 9.9 due to the scope change across tenant trust boundaries; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Docker Authentication Bypass
NVD GitHub
CVSS 3.1
9.9
CVE-2026-50125 Go HIGH PATCH GHSA This Week

Unauthenticated remote denial of service in StacklokLabs MKP (Model Context Protocol for Kubernetes) server versions before 0.4.1 lets a single crafted `tools/call` request against the default `:8080` endpoint exhaust process memory. The `get_resource` tool accepts attacker-controlled `limitBytes`/`tailLines` values with no upper bound and streams the entire Kubernetes pod-log response into an in-memory `bytes.Buffer`, driving an OOM kill (dynamic reproduction grew RSS from 25.8 MB to 1,179.3 MB on one request). Publicly available exploit code exists in the GitHub Security Advisory; there is no public evidence of active exploitation.

Docker Kubernetes Denial Of Service Python
NVD GitHub
CVSS 3.1
7.5
CVE-2026-59891 CRITICAL PATCH Act Now

Credential leakage in sigstore-js (specifically the @sigstore/oci package) before 0.7.1 allows Docker registry credentials to be transmitted to the wrong registry because getRegistryCredentials() matched configured auth keys against the target registry using a substring check instead of an exact host match. An attacker who can induce a victim to push or pull signatures/attestations against an attacker-named registry whose hostname has a substring relationship with a legitimately configured registry (e.g. 'cr.io' vs 'ghcr.io', or 'victim.127.0.0.1:5000' vs '127.0.0.1:5000') can capture the victim's stored registry credentials. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV; the underlying weakness (CWE-522) is confirmed and fixed by the vendor in @sigstore/oci 0.7.1.

Docker Information Disclosure Sigstore Js
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-11403 HIGH PATCH This Week

Improper API key generation in Sonatype Nexus Repository Manager lets a remote attacker impersonate a targeted user and perform repository operations on their behalf. The flaw stems from insufficient entropy (CWE-331) in format-specific API key realms, so an attacker who can predict or reconstruct a victim's key gains their access without credentials. The vendor (Sonatype) reported and patched the issue in release 3.93.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Docker Authentication Bypass Node.js Nexus Repository Manager
NVD
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-52824 PHP CRITICAL PATCH GHSA Act Now

Account takeover in Kimai (<= 2.57.0) stems from the official Docker image shipping a hard-coded default APP_SECRET ('change_this_to_something_unique') that Symfony consumes as kernel.secret. Because this HMAC signing key is publicly known and the entrypoint never rotates or validates it, a remote unauthenticated attacker can forge remember-me cookies, LoginLink signatures, password-reset URLs and CSRF tokens to log in as any user, including the id=1 super_admin. No public exploit is identified at time of analysis (a PoC existed but was withheld), and no CVSS/EPSS/KEV data was provided, so the scoring below is independently assessed.

CSRF Docker
NVD GitHub
CVE-2026-56260 PyPI HIGH PATCH This Week

Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overwrite any file writable by the service account by abusing the unvalidated output_path parameter on the /screenshot and /pdf endpoints. Reported by VulnCheck and disclosed in GitHub advisory GHSA-365w-hqf6-vxfg, the flaw enables path traversal or absolute-path writes that corrupt server files and cause denial of service. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privileges attack surface makes it a straightforward target once a Crawl4AI Docker server is exposed.

Path Traversal Denial Of Service Docker Crawl4ai
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-56259 PyPI HIGH PATCH This Week

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.

Authentication Bypass Docker Information Disclosure Crawl4ai
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-54071 PyPI HIGH POC PATCH GHSA This Week

Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.

Deserialization Python Canonical Adobe Microsoft +4
NVD GitHub
CVSS 3.1
7.8
CVE-2026-56261 PyPI CRITICAL PATCH Act Now

Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attackers to coerce the server into making arbitrary internal requests. The /crawl/job and /llm/job endpoints accept caller-supplied webhook URLs without validating the destination, so an attacker can target private IP ranges, Docker network internals, or the cloud metadata endpoint (169.254.169.254) to reach otherwise unreachable services and harvest credentials. CVSS 4.0 rates it 9.2 (critical); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

SSRF Docker Crawl4ai
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-49836 PyPI MEDIUM POC PATCH GHSA This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow Docker Denial Of Service +1
NVD GitHub
CVE-2026-59854 MEDIUM This Month

Credential file exfiltration in SiYuan prior to 3.7.1 is possible through the POST /api/file/globalCopyFiles endpoint, which accepts arbitrary absolute source paths and relies on an incomplete denylist in util.IsSensitivePath to block sensitive files. The denylist omits common credential files including .git-credentials, .netrc, .pgpass, .kube/config, .docker/config.json, and .gnupg, enabling an authenticated administrator or API-token holder to copy these files into the workspace and read them via the file API. No public exploit code or CISA KEV listing exists at time of analysis, but the Docker tag suggests this is relevant in containerized deployments where host-mounted credential files may be accessible.

Information Disclosure Docker Siyuan
NVD GitHub
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-55605 MEDIUM PATCH This Month

Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.

Authentication Bypass Docker Deepseek Mcp Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-52770 PHP HIGH POC PATCH GHSA This Week

Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.

PHP Oracle SQLi Docker
NVD GitHub
CVSS 3.1
7.5
CVE-2026-52767 PHP HIGH POC PATCH GHSA This Week

Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.

CSRF Jwt Attack SSRF OpenSSL Apache +2
NVD GitHub
CVSS 3.1
8.2
CVE-2026-52762 PHP HIGH POC PATCH GHSA This Week

{{ 7 * 7 }} rendering as 49, escalated to an interactive reverse shell); this vulnerability is not in CISA KEV and there is no evidence of active exploitation.

RCE PHP Ssti Docker
NVD GitHub
CVE-2026-59726 CRITICAL PATCH Act Now

Unauthenticated remote code execution in Ruflo (an agent meta-harness for Claude Code and Codex) before 3.16.3 arises because the default docker-compose deployment exposes the MCP bridge's POST /mcp and POST /mcp/:group endpoints with no authentication. A network attacker can send a JSON-RPC tools/call to the terminal_execute tool to gain an interactive shell inside the bridge container, exfiltrate provider API keys, and tamper with AgentDB learning-store patterns. Rated CVSS 10.0 with a scope change; no public exploit identified at time of analysis, and it is not in CISA KEV.

Command Injection Docker
NVD GitHub
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-53727 Ruby HIGH POC PATCH GHSA This Week

Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.

Kubernetes Hashicorp SSRF Canonical Nginx +5
NVD GitHub
CVE-2026-50553 Go HIGH POC PATCH GHSA This Week

Root-privileged arbitrary directory creation and file write affects Note Mark (self-hosted notes application) versions <= v0.19.4, arising because book and note slug validation uses the unanchored huma OpenAPI pattern '[a-z0-9-]+', letting a low-privilege authenticated user store a path-traversal slug such as '../../../../etc/cron.d/x'. When an administrator later runs the 'note-mark migrate export' or 'export-v1' CLI (routinely as root in Docker), the exporter joins the raw slug into the output path and writes '_index.md' outside the export directory, enabling escalation to code execution as root. Publicly available exploit code exists (a version-pinned Go reproducer plus an end-to-end Docker walkthrough); this is the unpatched sibling of GHSA-g49p-4qxj-88v3 and is not listed in CISA KEV.

RCE OpenSSL Docker
NVD GitHub
CVE-2026-49476 PyPI HIGH POC PATCH GHSA This Week

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.

Kubernetes Python Denial Of Service Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-49456 npm LOW PATCH GHSA Monitor

Open redirect in waku's `unstable_redirect()` server-side router helper allows a network attacker to redirect victims' browsers to arbitrary external domains - including phishing sites for credential harvesting and OAuth token theft - by injecting a malicious `location` string into any waku route that passes user-controlled query parameters to the function. The vulnerability affects waku 1.0.0-beta.0 across all supported runtime adapters (Node.js, Cloudflare Workers, Vercel Edge, Deno), as the reflection path in `handler.ts` is shared. A dynamic proof-of-concept was confirmed by the reporter in two independent Docker-based runs against commit 8e9f542; no vendor-released patch is confirmed at time of analysis, though a v1.0.0-beta.1 release tag appears in advisory references.

Node.js Open Redirect Docker
NVD GitHub
CVSS 3.1
3.1
CVE-2026-52831 Go CRITICAL POC PATCH GHSA Act Now

OS command injection in Nuclio (serverless platform) versions <= 1.15.27 lets attackers run arbitrary shell commands as root inside Kubernetes CronJob pods by submitting a function with a crafted cron trigger. The controller concatenates unsanitized `event.headers` keys and `event.body` values into a `/bin/sh -c` curl string; a header key containing a double-quote breaks quoting, and a body containing `$()` triggers command substitution (strconv.Quote does not escape it). Because the Nuclio Dashboard API is unauthenticated in its default configuration, this is remotely reachable; no public exploit is identified in KEV, though a detailed, dynamically-verified PoC accompanies the advisory.

Python Kubernetes Microsoft Docker Command Injection +1
NVD GitHub
CVSS 3.1
10.0
CVE-2026-14891 HIGH PATCH This Week

Container-to-host sandbox escape in HashiCorp Nomad and Nomad Enterprise lets an authenticated job submitter using the Docker task driver bind-mount an arbitrary host path into their container even when volume bind mounts are administratively disabled, enabling read and write access to files on the underlying host. The scope-changing flaw (CVSS 3.1 8.7) affects the Community and Enterprise editions and is fixed in Nomad 2.0.4 (CE), and Enterprise 2.0.4, 1.11.8, and 1.10.14. There is no public exploit identified at time of analysis and it is not on CISA KEV.

Hashicorp Information Disclosure Docker
NVD VulDB
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-14373 HIGH PATCH This Week

Host namespace escape in HashiCorp Nomad and Nomad Enterprise lets an authenticated job submitter bypass the allow_privileged control for the Docker task driver, launching containers in host PID/network/IPC namespaces to read data from the host or co-located workloads on the same client node. The flaw stems from missing authorization enforcement (CWE-862) and carries a CVSS 7.7 with a changed scope, reflecting cross-tenant impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Hashicorp Docker Nomad Nomad Enterprise
NVD VulDB
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-55761 HIGH PATCH This Week

Authentication bypass in Portainer Community Edition (2.39.0-2.39.3 and 2.40.0 through 2.42.x) lets an unauthenticated network attacker seize full administrative control of a freshly deployed, uninitialized instance. During the five-minute post-deployment setup window the /api/restore and /api/users/admin/init endpoints stay reachable without credentials, so an attacker who wins the race can create the first admin account or restore a crafted backup and take over the platform along with every Docker, Swarm, Kubernetes and ACI environment it manages. No public exploit identified at time of analysis and it is not on CISA KEV, but the fix is available in 2.39.4 and 2.43.0.

Authentication Bypass Kubernetes Docker Portainer
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-53553 Go HIGH POC GHSA This Week

Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.

Python Path Traversal Microsoft RCE Docker +1
NVD GitHub
CVSS 3.1
7.7
CVE-2026-53552 Go CRITICAL POC GHSA Act Now

Cross-namespace privilege escalation in goploy (zhenorzz/goploy through 1.17.5 and develop HEAD) lets any authenticated user holding the low-privilege `manager` role in their own namespace read, overwrite, plant, or delete project files in ANY other tenant's project, and rewrite any project's git remote URL, because the `/project/addFile`, `/project/editFile`, `/project/removeFile`, and `/project/edit` handlers act on body-supplied project/file row ids without verifying the target belongs to the caller's namespace. The rewritten git remote escalates to remote code execution on the next deploy, when goploy runs `git remote set-url origin <attacker-url>` and pulls attacker-controlled code under the goploy service account. A detailed proof-of-concept exists demonstrating all four primitives against the published Docker image, though no active exploitation has been reported.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
9.6
CVE-2026-40187 PHP HIGH POC PATCH GHSA This Week

Authenticated OS command execution in EGroupware allows an administrator to escalate from web-application access to arbitrary shell commands as the web server user (typically www-data). The flaw lives in the eTemplate engine's Widget::expand_name(), where widget attribute values are passed into a PHP eval() with only double-quotes escaped, leaving backtick shell-execution operators intact; an admin uploads a malicious .xet template to the /etemplates VFS mount to trigger it. A detailed proof-of-concept is published in the vendor's GitHub Security Advisory (publicly available exploit code exists), though there is no evidence of active exploitation.

Command Injection PHP RCE Docker
NVD GitHub
CVE-2026-34151 Maven HIGH PATCH GHSA This Week

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.

Atlassian Information Disclosure Tomcat Docker
NVD GitHub
CVE-2026-42201 LOW PATCH Monitor

OS command injection in Coolify's database service configuration API allows authenticated administrators to execute arbitrary shell commands within Docker container contexts by embedding shell metacharacters into database credential fields. All Coolify versions prior to 4.0.0-beta.474 are affected, covering deployments managing Redis, KeyDB, Dragonfly, ClickHouse, PostgreSQL, and MySQL services. No public exploit code has been identified at time of analysis, and the CVSS PR:H requirement confines the attack surface to already-privileged admin accounts, positioning this as a post-compromise escalation risk rather than an initial access vector.

Command Injection Docker Coolify
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.2%
CVE-2026-34158 HIGH PATCH This Week

OS command injection in Coolify, the open-source self-hostable server/application/database management PaaS, allows an authenticated user with permission to edit application settings (versions prior to 4.0.0-beta.469) to run arbitrary commands on the managed host. The flaw lives in the executeInDocker() helper, which wraps user-controlled values in single quotes without escaping embedded quotes, letting an attacker break out of the quoted shell context during deployments and escape the intended Docker container confinement. No public exploit identified at time of analysis; this is not listed in CISA KEV.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-34168 HIGH PATCH This Week

OS command injection in Coolify (self-hosted server/app management platform) before 4.0.0-beta.471 lets an authenticated user embed shell metacharacters in a LocalPersistentVolume storage name, which is interpolated unescaped into docker volume shell commands and executed on managed servers when the associated resource is deleted. Rated CVSS 8.8 (CWE-78), it yields arbitrary command execution on downstream hosts controlled by the Coolify instance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in release 4.0.0-beta.471.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-55630 PyPI LOW GHSA Monitor

Stored cross-site scripting in Kiwi TCMS versions prior to 16.1 allows authenticated users to inject arbitrary JavaScript into the `TestCase.extra_link` and `TestPlan.extra_link` fields, which are rendered verbatim to all subsequent viewers. Official Docker-based deployments are substantially protected by a `Content-Security-Policy` header that blocks inline script execution, but customized deployments that alter default middleware or security settings remain fully exploitable. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

XSS Docker
NVD GitHub
CVE-2026-34599 HIGH PATCH This Week

Privilege escalation to root command execution in Coolify (self-hosted PaaS) prior to 4.0.0-beta.471 lets any authenticated user holding the lowest-privilege team 'member' role run arbitrary OS commands as root on every server Coolify manages. The flaw lives in the GetLogs Livewire component, whose $container public property is unsanitized and lacks the #[Locked] attribute, so any team member can tamper with it over the Livewire wire protocol. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the low authentication barrier and full CIA impact make it high priority for any multi-tenant Coolify deployment.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2026-42204 HIGH PATCH This Week

OS command injection in Coolify (self-hosted server/app/database management platform) versions 4.0.0-beta.471 through 4.0.0-beta.473 lets an authenticated team member run arbitrary shell commands on the underlying host. A regression weakened the SHELL_SAFE_COMMAND_PATTERN allowlist so that ampersands were permitted in custom Docker Compose build, start, and pre/post-deployment command fields, enabling command chaining. The issue is fixed in 4.0.0-beta.474; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-42148 LOW PATCH Monitor

OS command injection in Coolify's settings module allows a highly privileged attacker in a development environment to execute arbitrary shell commands on the host server by injecting metacharacters into the dev_helper_version field, which is passed unsanitized into a Docker build command. All Coolify releases prior to 4.0.0-beta.474 are affected. No public exploit code exists and no CISA KEV listing has been issued; the provided CVSS score of 3.8 (Low) accurately reflects the highly constrained exploitation prerequisites, though the underlying command injection class warrants upgrade regardless.

Command Injection PHP Docker Coolify
NVD GitHub
CVSS 3.1
3.8
EPSS
0.1%
CVE-2026-53759 PyPI LOW PATCH GHSA Monitor

Arbitrary file write as root via symlink attack in Linuxfabrik Monitoring Plugins affects any deployment using the provided sudoers configuration. The monitoring plugins create SQLite databases at predictable, static paths under /tmp; an attacker who has already gained access to the nagios service account can pre-place symlinks at those paths, and when a monitoring script is subsequently invoked via sudo, it follows the symlink and writes a SQLite database to any attacker-chosen path on the filesystem. A proof-of-concept is included in the GitHub Security Advisory GHSA-r35r-fpx2-jgr4, and no CISA KEV listing or CVSS score has been assigned at time of analysis.

Denial Of Service Docker
NVD GitHub
CVE-2026-57572 PyPI CRITICAL PATCH Act Now

Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbitrary commands as the container runtime user. The server passes request-supplied browser_config.extra_args directly into Chromium's launch arguments, enabling argument injection (CWE-88) of a malicious child-process launcher combined with --no-zygote. Because the Docker API is unauthenticated by default and CVSS is scored 10.0, a single crafted HTTP request achieves full container compromise; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Docker Google Crawl4ai
NVD GitHub
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-57573 PyPI HIGH PATCH This Week

Server-side request forgery in Crawl4AI's Docker API server (versions prior to 0.9.0) lets a remote unauthenticated client coerce the server into fetching attacker-chosen internal, private, or link-local URLs and streaming the response body back. The SSRF destination allowlist check was enforced on the non-streaming /crawl path but omitted from the streaming code path, so requests to POST /crawl/stream - or POST /crawl with crawler_config.stream=true - bypass validation entirely. No public exploit identified at time of analysis, but the fix is public in commit 60886d1 and the root cause (a guard applied to one path but not its sibling) is trivial to reproduce.

SSRF Docker Crawl4ai
NVD GitHub
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-55786 PyPI HIGH POC PATCH GHSA This Week

Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.

Command Injection Python Authentication Bypass Docker
NVD GitHub
CVSS 3.1
8.4
CVE-2026-14784 MEDIUM PATCH This Month

Sandbox boundary enforcement failure in PentAGI (vxcontrol) versions up to 2.1.0 allows authenticated remote users to break Docker containment controls via the Docker API client component in `backend/pkg/docker/client.go`, enabling limited information disclosure and unauthorized low-impact modifications within the Docker environment. The CVSS 4.0 vector (PR:L, AV:N, AC:L) confirms low-privilege network-reachable exploitation with no user interaction required, though all impact metrics remain Low and no host-level breakout is indicated. No public exploit code exists and this vulnerability is not listed in CISA KEV; an upstream fix is pending as an unmerged GitHub pull request.

Information Disclosure Docker Pentagi
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-20896 CRITICAL PATCH NEWS Act Now

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. X-WEBAUTH-USER), the wildcard trust list means Gitea accepts those identity headers from any client rather than only from a trusted front-end proxy, granting full account takeover including administrator access. No public exploit has been identified at time of analysis, and the issue is patched in Gitea 1.26.3.

Authentication Bypass Gitea Docker Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-49254 Go LOW POC PATCH GHSA Monitor

Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.

Google Authentication Bypass Redis Docker Information Disclosure
NVD GitHub
CVE-2026-50180 PyPI HIGH POC PATCH GHSA This Week

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Python Path Traversal Canonical Docker
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-50181 PyPI HIGH POC PATCH GHSA This Week

Path traversal in Langroid's ReadFileTool and WriteFileTool lets a tool caller escape the configured curr_dir workspace boundary by supplying '../' sequences in file_path, because the tools only chdir into curr_dir without resolving and enforcing that the final path stays inside it. Applications that expose these file tools to an LLM agent or user-influenced tool calls can have arbitrary files read or written outside the intended project/sandbox directory, exposing secrets, config, and source files or corrupting files elsewhere on the host. Publicly available exploit code exists (a working PoC is included in the report demonstrating both read and write escapes), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Python Path Traversal Docker
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-50027 PyPI CRITICAL POC PATCH GHSA Act Now

Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.

Authentication Bypass Python Information Disclosure Docker
NVD GitHub
CVSS 3.1
9.8
CVE-2026-58455 CRITICAL Act Now

Unauthenticated OS command injection in Notifiarr Dockwatch through version 0.6.567 lets remote attackers run arbitrary shell commands on the host and achieve full compromise, since default deployments mount the Docker socket. The root cause is an Execution-After-Redirect flaw (CWE-698) where loader.php redirects unauthenticated users but fails to call exit(), allowing the attacker to seed the required session flag and then reach shell_exec() in ajax/compose.php with attacker-controlled input. The CVSS 4.0 base score is 9.2 (VC/VI/VA all High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor advisory and upstream fix exist.

Command Injection PHP Docker Dockwatch
NVD GitHub
CVSS 4.0
9.2
EPSS
1.2%
CVE-2026-50143 npm HIGH POC PATCH GHSA This Week

Apify API token exfiltration in @apify/actors-mcp-server 0.10.7 lets a remote attacker steal a victim's bearer credential via URL authority injection (CWE-918/SSRF). Because getActorMCPServerURL() naively concatenates a trusted standby base URL with an attacker-controlled webServerMcpPath from an Actor definition, an Actor published with a value like '@attacker.example/mcp' causes the WHATWG URL parser to resolve the outbound connection to the attacker's host, and connectMCPClient() unconditionally forwards the victim's 'Authorization: Bearer <APIFY_TOKEN>' header there. Publicly available exploit code exists (a Docker-based PoC that captures the token on an attacker HTTPS server); no active exploitation is confirmed.

Python SSRF OpenSSL Node.js Docker +1
NVD GitHub
CVSS 3.1
8.1
CVE-2026-48978 Go LOW PATCH GHSA Monitor

Unvalidated bearer realm URL handling in oras-go v2 ≤ 2.6.0 enables two distinct attack primitives against users who run oras operations against a malicious, compromised, or man-in-the-middle'd registry: server-side request forgery (SSRF) to internal network endpoints including cloud instance metadata services, and TLS downgrade that exposes user credentials in plaintext. The OCI distribution spec legitimately allows cross-host realm references for split-auth deployments (e.g., Docker Hub's auth.docker.io pattern), but oras-go failed to block private IP literals, loopback addresses, and scheme downgrades from https to http - patterns that are never legitimate under any valid registry trust model. No active exploitation has been confirmed (not in CISA KEV), and a patch is available in v2.6.1.

SSRF Microsoft Docker
NVD GitHub
CVE-2026-48824 Go MEDIUM PATCH GHSA This Month

{id}/release` still call `json.NewDecoder(r.Body)` with no body-size cap, allowing a remote unauthenticated attacker to drive process RSS from ~8 MB baseline to ~450 MB with a single 16 MB request (~28× amplification), with no memory recovery between requests. A working proof-of-concept with exact reproduction steps is published in the advisory; no KEV status confirmed at time of analysis.

Denial Of Service Docker
NVD GitHub
CVSS 3.1
5.3
CVE-2026-48819 npm MEDIUM PATCH GHSA This Month

Prototype pollution in @hey-api/openapi-ts affects all versions through 0.97.2, allowing remote unauthenticated attackers to substitute the prototype chain of the returned params slot object by passing a crafted key such as '$query___proto__' through any application that forwards user-supplied parameters to a generated SDK method. The flaw resides in a runtime template (dist/clients/core/params.ts) that is copied verbatim into every generated SDK, meaning every downstream npm package regenerated from this tool carries the vulnerable code - confirmed affected consumers include @opencode-ai/sdk and @trigger.dev/sdk. A functional proof-of-concept is publicly available; exploitation is not confirmed as actively exploited and is absent from CISA KEV.

Node.js Docker Code Injection Prototype Pollution
NVD GitHub
CVSS 3.1
4.8
CVE-2026-49989 Maven LOW POC PATCH GHSA Monitor

{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.

Authentication Bypass Oracle Java Docker
NVD GitHub
CVE-2026-13760 HIGH PATCH This Week

OS command injection in AWS aws-cdk-lib lets an actor who controls a dependency version string in a project's package.json run arbitrary commands on the host executing the CDK toolchain. The flaw lives in the OsCommand helper of the NodejsFunction Docker bundling pipeline, which passes unsanitized version strings into a shell during nodeModules installation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; AWS has released a fixed version (v2.260.0).

Command Injection Docker Aws Cdk
NVD GitHub
CVSS 4.0
7.0
EPSS
0.6%
CVE-2026-49864 npm HIGH POC PATCH GHSA This Week

Cross-site scripting in the wetty web-terminal client (npm package `wetty`, default configuration) lets any writer of content a victim renders inject keystrokes into that victim's live SSH session. The client base64-decodes an attacker-controlled filename from the documented file-download escape sequence (`\x1b[5i<name>:<content>\x1b[4i`) and interpolates it raw into a Toastify toast with `escapeMarkup:false`, so script runs in the wetty origin and can call `window.wetty_term.input()` to type commands and read the terminal buffer. A detailed proof-of-concept is published in the GitHub Security Advisory (GHSA-p26j-h7wj-r568), so publicly available exploit code exists; there is no public evidence of active exploitation at time of analysis.

XSS Docker
NVD GitHub
CVE-2026-49857 npm HIGH POC PATCH GHSA This Week

Server-Side Request Forgery in auth-fetch-mcp v3.0.1 lets an attacker who controls the url argument of the auth_fetch or download_media MCP tools reach loopback and private-range services that the built-in assertSafeUrl() guard is supposed to block. The bypass works by encoding the target as an IPv4-mapped IPv6 literal (e.g. http://[::ffff:127.0.0.1]:PORT/), which Node's WHATWG URL parser normalizes to ::ffff:7f00:1 so the private-IP check falls through. A detailed, reproduced proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no vendor-released patch identified at time of analysis. CVSS 3.1 is 7.4 (High); EPSS was not provided.

Node.js SSRF Docker Google
NVD GitHub
CVSS 3.1
7.4
CVE-2026-56264 PyPI CRITICAL PATCH Act Now

Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code to the /execute_js endpoint, which runs it inside the server's Chromium browser context launched with --disable-web-security. Because the browser's same-origin and CORS protections are disabled, attacker-controlled JavaScript can pivot into server-side request forgery against internal services and metadata endpoints. No public exploit has been identified at time of analysis, and the CVSS 4.0 base score is 9.2 (critical), though the vector's high attack complexity and present attack requirements indicate exploitation is not fully trivial.

Code Injection SSRF Docker RCE Crawl4ai
NVD GitHub
CVSS 4.0
9.2
EPSS
0.5%
CVE-2026-58446 MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker Presenton
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-27957 HIGH PATCH This Week

Authenticated command injection in Coolify's CA Certificate management feature (all versions prior to 4.0.0-beta.464) lets any logged-in user inject arbitrary OS commands that execute as the configured SSH user on a managed server. Because Coolify requires that SSH user to be root or a docker-group member, successful exploitation yields full compromise of the managed host and every Docker container it runs. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a high-priority patch for any multi-user Coolify instance.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-27955 MEDIUM PATCH This Month

{$command}'` invocation without sanitizing single quotes, and the user-controlled `docker_compose_custom_build_command` and `docker_compose_custom_start_command` fields are interpolated directly into that shell string. No public exploit has been identified at time of analysis, but the CVSS scope-change flag (S:C) confirms the critical container-to-host escape dimension, and the injection technique is well-understood - making the practical impact substantially higher than the reported 6.6 base score implies.

Command Injection Docker Coolify
NVD GitHub
CVSS 3.1
6.6
EPSS
0.2%
CVE-2026-58053 CRITICAL POC PATCH Act Now

Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-execution rights break out to the host as root even when privileged mode is disabled. The runner passes a workflow's container.options string straight into the Docker job container's HostConfig and only forces the Privileged flag off, leaving dangerous options like --pid=host, --cap-add, and --security-opt intact. Publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV.

Privilege Escalation Gitea Docker Act Runner
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-53576 CRITICAL PATCH Act Now

Unauthenticated remote code execution in Kestra orchestration platform before 1.0.45 and 1.3.21 lets anonymous attackers fully compromise the host. The REST API authentication filter treats any request path ending in /configs as the public instance-config endpoint, so an attacker appending the literal segment configs (e.g. to flow-create or execution-trigger routes) bypasses Basic-Auth, creates a flow with a Shell/Process task, and executes commands as root inside the container; with the default docker-compose mounting /var/run/docker.sock, this pivots to the host Docker daemon. No public exploit identified at time of analysis, but the technique is fully described in the vendor advisory and is trivially reproducible.

Code Injection Docker RCE Kestra
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-48790 Go MEDIUM POC PATCH GHSA This Month

Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.

Privilege Escalation Apple Docker
NVD GitHub
CVSS 3.1
5.5
CVE-2026-46386 CRITICAL PATCH Act Now

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardcoded Rails secret (ENV SECRET_KEY_BASE=OVERWRITE_ME). Because the application uses cookies_serializer = :marshal, any logged-in user who knows this deterministic key can forge a signed cookie containing a malicious Marshal payload that is deserialized when reaching the /my/two_factor_devices cookie reader, yielding code execution on the server (CVSS 9.9, scope-changed). At the time of analysis there is no public exploit identified and the issue is not in CISA KEV, but the predictability of the default key makes exploitation straightforward for anyone running an unmodified image.

Deserialization Docker Openproject
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-54636 CRITICAL PATCH Act Now

Container-to-host command execution in Dokku's cron plugin (versions prior to 0.38.7) lets an actor who can control an application's app.json schedule break out of the Docker container and run arbitrary commands on the host as the privileged Dokku user. Because the cron command was interpolated into a shell-evaluated line, special characters such as ';' or '>' were interpreted on the host rather than confined to the container, yielding a scope-changing escape (CVSS 9.9). No public exploit has been identified at time of analysis, but the root cause and fix are fully documented in the vendor advisory and patch.

Command Injection Docker Dokku
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-45405 HIGH PATCH This Week

Arbitrary file write in Dokku before 0.38.2 lets an attacker with deploy-level access escalate to full shell access on the host. The git:from-archive and certs:add commands extract attacker-supplied tar/zip archives without sanitizing member paths, and because GNU tar creates and then follows symlinks during extraction, a crafted archive can plant files anywhere the dokku user can write - most damagingly ~/.ssh/authorized_keys. There is no public exploit identified at time of analysis and CISA SSVC records exploitation as none, but the technical impact is rated total.

Information Disclosure Docker Dokku
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-45406 HIGH PATCH This Week

OS command execution on the Dokku host is possible through the openresty-vhosts plugin in versions prior to 0.38.2, where custom OpenResty include filenames from an app's git repository are interpolated unescaped into a single-quoted shell string that is later run through eval. An attacker who can deploy a Dokku app with the openresty proxy enabled can plant a file whose name contains a single quote to break the quoting and inject a command substitution, executing arbitrary commands as the dokku user on the next deploy. There is no public exploit identified at time of analysis and it is not in CISA KEV, though the upstream advisory and a security regression test document the mechanism precisely.

Code Injection Information Disclosure Docker Dokku
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-45407 MEDIUM PATCH This Month

Insufficiently protected credential storage in Dokku prior to 0.38.2 exposes git authentication secrets stored in $DOKKU_ROOT/.netrc to any local user who can traverse the Dokku home directory. The git:auth command pre-creates the .netrc file using bash's touch, which applies the process umask (0644) before the netrc binary runs - defeating the netrc binary's own 0600 enforcement because the file already exists at write time. No public exploit code exists and the vulnerability is not in CISA KEV, but the confidentiality impact is rated High given that plaintext git credentials (hostnames, usernames, passwords) are directly readable without any special tooling.

Information Disclosure Docker Dokku
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-45408 CRITICAL PATCH Act Now

OS command injection in Dokku (the Docker-powered self-hosted PaaS) prior to version 0.38.2 allows an authenticated user with git push access to execute arbitrary shell commands as the privileged dokku user. The flaw stems from a permissive app-name validation regex that accepts shell metacharacters, which are then interpolated unquoted into a generated bash pre-receive hook; a semicolon in the app name terminates the intended command and runs attacker-supplied commands on git push. There is no public exploit identified at time of analysis, but the fix is confirmed in 0.38.2 and the underlying mechanics are fully documented in the GitHub advisory and PR #8590.

Command Injection Docker Dokku
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-55166 PyPI CRITICAL POC PATCH GHSA Act Now

Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.

Python Authentication Bypass SSRF OpenSSL Docker
NVD GitHub
CVSS 3.1
9.9
CVE-2026-55165 PyPI MEDIUM POC PATCH GHSA This Month

JWT algorithm confusion in Netflix Lemur 1.9.0 allows an attacker to control which signing algorithm the server trusts by supplying an arbitrary alg value in the unverified token header, which is passed directly to pyjwt.decode() instead of a server-pinned allowlist. On current PyJWT 2.x deployments the standalone impact is limited to audit-log blinding and a durable algorithm-downgrade primitive; full account takeover requires chaining with a separate LEMUR_TOKEN_SECRET disclosure vulnerability, after which a forged HS256 admin JWT yields HTTP 200 with role=admin. A public proof-of-concept walkthrough exists (asciinema); no active exploitation is confirmed in CISA KEV.

SSRF Jwt Attack Python Docker
NVD GitHub
CVSS 3.1
4.8
CVE-2026-55454 CRITICAL PATCH Act Now

Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side request forgery to reach the bundled Caddy admin API, which ships with no authentication and listens on 0.0.0.0:2019 inside the container. By forcing the Appsmith server to issue a POST /load to that internal endpoint, the attacker rewrites the live Caddy configuration and seizes control of the reverse proxy that fronts the application. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-confirmed CWE-749 exposure carries a 9.9 CVSS rating.

SSRF Docker Appsmith
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-50189 HIGH PATCH This Week

Authenticated command execution in Appsmith versions prior to 2.1 lets any administrator run arbitrary OS commands inside the application's Docker container. The bundled supervisord exposes an XML-RPC management interface on port 9001, which Appsmith's Caddy reverse proxy publishes externally at /supervisor/* on the public ingress; combined with the supervisord password being readable through GET /api/v1/admin/env, an admin can authenticate to supervisord and abuse twiddler.addProgramToGroup to spawn programs that execute shell commands. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV. Fixed in 2.1.

Information Disclosure Docker Appsmith
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-13140 LOW Monitor

Stored XSS in the AWS API key store component of Thinkst Applied Research Canarytokens allows a low-privileged attacker who knows a token's random identifier to inject persistent malicious scripts that execute in a victim's browser when they view the affected token page. Exploitation is constrained by high attack complexity (AC:H), a prerequisite attack requirement (knowledge of a random identifier), low-privilege authentication, and active user interaction - reflected in an extremely low CVSS 4.0 base score of 1.1. No active exploitation is confirmed; however, the CVSS 4.0 vector includes E:P, indicating proof-of-concept exploit code exists.

XSS Docker Canarytokens
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.2%
CVE-2026-55863 PyPI MEDIUM PATCH GHSA This Month

Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.

Docker Authentication Bypass Python SSRF
NVD GitHub
CVSS 3.1
5.3
CVE-2026-55448 Cargo MEDIUM PATCH GHSA This Month

Command injection in mise's GitHub credential resolver executes attacker-controlled shell commands on the victim developer's machine when a malicious `.mise.toml` is placed in a repository and no higher-priority GitHub token environment variable is set. Versions v2026.3.15 through v2026.3.17 (and all releases up to < 2026.6.4) pass `github.credential_command` from untrusted local project config directly to `sh -c` without any trust verification. A working proof-of-concept is confirmed per GHSA-29hf-rm4x-xxph on Docker linux-arm64; no CISA KEV listing at time of analysis, but POC availability elevates practical risk above the moderate CVSS base score.

Command Injection Docker
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-54350 npm CRITICAL PATCH GHSA Act Now

{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited.

SQLi Canonical Docker PostgreSQL Elastic +2
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-52813 Go CRITICAL POC PATCH GHSA Act Now

Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.

Docker RCE PostgreSQL Path Traversal
NVD GitHub
CVSS 3.1
10.0
EPSS
1.1%
CVE-2026-52807 Go MEDIUM PATCH GHSA This Month

Stored DOM-based XSS in Gogs versions prior to 0.14.3 allows any repository user with write access to inject JavaScript via a crafted milestone name, which executes in another user's browser when they open the New Issue page and interact with the milestone dropdown. The flaw is an incomplete fix for the earlier GHSA-vgjm-2cpf-4g7c, which patched view_content.tmpl but missed the identical sink in new_form.tmpl. A working PoC is published in the GitHub advisory, but no public exploit identified at time of analysis in CISA KEV or EPSS-tracked sources.

XSS Docker
NVD GitHub
CVSS 4.0
4.8
EPSS
0.5%
CVE-2026-52806 Go CRITICAL PATCH GHSA Act Now

Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.

Command Injection Docker Apple Privilege Escalation Ubuntu +3
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
1.0%
CVE-2026-56274 npm HIGH POC PATCH This Week

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update permissions) to abuse the Custom MCP Server feature and run arbitrary OS commands on the host. The validateCommandFlags blocklist and validateArgsForLocalFileAccess regex are incomplete - for example 'docker build' is permitted and 'npx --yes' is permitted while only '-y' is blocked - letting attackers point Flowise at a hostile Dockerfile or local script to achieve full host compromise. Publicly available exploit code exists (the GHSA advisory ships a reproduction), though there is no public exploit identified at time of analysis in CISA KEV.

Command Injection Docker Flowise
NVD GitHub
CVSS 4.0
8.7
EPSS
1.7%
CVE-2026-54352 npm CRITICAL PATCH GHSA Act Now

Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.

Docker CSRF PostgreSQL Path Traversal
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-54232 PyPI HIGH PATCH This Week

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments through a dependency confusion attack in the project's Dockerfile. Because flashinfer-jit-cache was pulled via --extra-index-url with UV_INDEX_STRATEGY=unsafe-best-match while the name remained unregistered on PyPI, any attacker who claimed the name on PyPI with a higher version would have their code executed as root during every Docker build. No public exploit identified at time of analysis, but the supply-chain primitive is well understood and trivially weaponizable.

Docker RCE Vllm Red Hat
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-46611 PyPI MEDIUM PATCH GHSA This Month

DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.

Kubernetes Docker RCE Python Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-46608 PyPI HIGH PATCH GHSA This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python Authentication Bypass Kubernetes +1
NVD GitHub
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-46607 PyPI HIGH PATCH GHSA This Week

Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.

Docker Python Privilege Escalation RCE Deserialization +1
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-33692 PHP HIGH PATCH GHSA This Week

Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.

Apache Docker Information Disclosure
NVD GitHub
CVSS 3.1
7.5
CVSS 7.7
HIGH POC PATCH This Week

{id}. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but it is not in CISA KEV and no active exploitation is identified.

Docker SSRF PHP
NVD GitHub
CVSS 4.3
MEDIUM POC PATCH This Month

Authenticated blind SSRF in Koel v9.6.0 allows any logged-in user to trigger server-side HTTP requests to private, loopback, and RFC1918 destinations by exploiting a missing SafeUrl validation guard on the Subsonic-compatible createPodcastChannel.view route. The main podcast API correctly rejects private URLs with a 422 error, but the Subsonic compatibility layer omits the same SafeUrl rule, and the attacker-supplied URL is fetched synchronously during channel creation via Poddle::fromUrl() - no separate step required. No public exploit identified at time of analysis per KEV status, but a fully documented public PoC with step-by-step curl commands is available in GHSA-w79m-f3jx-779v, validated against the official phanan/koel:9.6.0 Docker image.

Docker SSRF PHP
NVD GitHub
CVSS 9.3
CRITICAL Act Now

GitHub Actions artifact-poisoning (pwn request) in labring/FastGPT allows an external attacker who opens a pull request to smuggle attacker-controlled Docker images into privileged CI/CD pipelines. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted PR code in the preview-docs-build and preview-fastgpt-build workflows are consumed by privileged workflow_run jobs, letting a malicious image be pushed to GHCR and, for documentation previews, deployed to a Kubernetes cluster using the secrets.KUBE_CONFIG_CN credential. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw is trivially reachable by any contributor.

Docker Information Disclosure Fastgpt
NVD GitHub
CVSS 8.1
HIGH POC PATCH This Week

Unauthenticated abuse of the operator's NetLicensing credential affects Labs64 netlicensing-mcp (FastMCP server) versions <= 0.1.5 when run in HTTP transport mode. The ApiKeyMiddleware forwards requests that carry no client API key straight to the tool handlers, and the downstream client falls back to the server-side NETLICENSING_API_KEY environment variable, so any network-reachable attacker can invoke every MCP tool (list/create/update/delete of products, licenses, licensees, tokens) under the operator's identity and account quota. Publicly available exploit code exists (a self-contained Docker/Python PoC in the advisory), no public active exploitation is confirmed, and the issue is fixed in 0.1.6.

Docker Authentication Bypass Python
NVD GitHub
CVSS 7.7
HIGH PATCH This Week

Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in `caption-download` MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable `Caption.Download()` calls `os.Create()` on the caller-supplied `file` parameter, bypassing the `YUTU_ROOT` (`pkg.Root`/`os.OpenRoot`) confinement that every other caption write path enforces. Publicly available exploit code exists (a self-contained Docker PoC ships with the advisory); the flaw is not in CISA KEV and no active exploitation is reported, and the vendor has released a fixed version (0.10.9-dev1).

Denial Of Service Debian Python +2
NVD GitHub
CVSS 9.9
CRITICAL PATCH Act Now

Cross-tenant data exposure in n8n-mcp (npm package, <= 2.56.0) lets an authenticated tenant on a shared multi-tenant HTTP instance read, delete, and destroy the automatic workflow version backups belonging to other tenants. Because each snapshot embeds full node definitions, the leaked data can include credential references and authorization headers, making this both a confidentiality and an integrity/availability failure. Rated CVSS 9.9 due to the scope change across tenant trust boundaries; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Docker Authentication Bypass
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote denial of service in StacklokLabs MKP (Model Context Protocol for Kubernetes) server versions before 0.4.1 lets a single crafted `tools/call` request against the default `:8080` endpoint exhaust process memory. The `get_resource` tool accepts attacker-controlled `limitBytes`/`tailLines` values with no upper bound and streams the entire Kubernetes pod-log response into an in-memory `bytes.Buffer`, driving an OOM kill (dynamic reproduction grew RSS from 25.8 MB to 1,179.3 MB on one request). Publicly available exploit code exists in the GitHub Security Advisory; there is no public evidence of active exploitation.

Docker Kubernetes Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Credential leakage in sigstore-js (specifically the @sigstore/oci package) before 0.7.1 allows Docker registry credentials to be transmitted to the wrong registry because getRegistryCredentials() matched configured auth keys against the target registry using a substring check instead of an exact host match. An attacker who can induce a victim to push or pull signatures/attestations against an attacker-named registry whose hostname has a substring relationship with a legitimately configured registry (e.g. 'cr.io' vs 'ghcr.io', or 'victim.127.0.0.1:5000' vs '127.0.0.1:5000') can capture the victim's stored registry credentials. There is no public exploit identified at time of analysis, and this is not listed in CISA KEV; the underlying weakness (CWE-522) is confirmed and fixed by the vendor in @sigstore/oci 0.7.1.

Docker Information Disclosure Sigstore Js
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Improper API key generation in Sonatype Nexus Repository Manager lets a remote attacker impersonate a targeted user and perform repository operations on their behalf. The flaw stems from insufficient entropy (CWE-331) in format-specific API key realms, so an attacker who can predict or reconstruct a victim's key gains their access without credentials. The vendor (Sonatype) reported and patched the issue in release 3.93.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Docker Authentication Bypass Node.js +1
NVD
CRITICAL PATCH Act Now

Account takeover in Kimai (<= 2.57.0) stems from the official Docker image shipping a hard-coded default APP_SECRET ('change_this_to_something_unique') that Symfony consumes as kernel.secret. Because this HMAC signing key is publicly known and the entrypoint never rotates or validates it, a remote unauthenticated attacker can forge remember-me cookies, LoginLink signatures, password-reset URLs and CSRF tokens to log in as any user, including the id=1 super_admin. No public exploit is identified at time of analysis (a PoC existed but was withheld), and no CVSS/EPSS/KEV data was provided, so the scoring below is independently assessed.

CSRF Docker
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overwrite any file writable by the service account by abusing the unvalidated output_path parameter on the /screenshot and /pdf endpoints. Reported by VulnCheck and disclosed in GitHub advisory GHSA-365w-hqf6-vxfg, the flaw enables path traversal or absolute-path writes that corrupt server files and cause denial of service. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privileges attack surface makes it a straightforward target once a Crawl4AI Docker server is exposed.

Path Traversal Denial Of Service Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.

Authentication Bypass Docker Information Disclosure +1
NVD GitHub VulDB
CVSS 7.8
HIGH POC PATCH This Week

Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.

Deserialization Python Canonical +6
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attackers to coerce the server into making arbitrary internal requests. The /crawl/job and /llm/job endpoints accept caller-supplied webhook URLs without validating the destination, so an attacker can target private IP ranges, Docker network internals, or the cloud metadata endpoint (169.254.169.254) to reach otherwise unreachable services and harvest credentials. CVSS 4.0 rates it 9.2 (critical); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

SSRF Docker Crawl4ai
NVD GitHub
MEDIUM POC PATCH This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow +3
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

Credential file exfiltration in SiYuan prior to 3.7.1 is possible through the POST /api/file/globalCopyFiles endpoint, which accepts arbitrary absolute source paths and relies on an incomplete denylist in util.IsSensitivePath to block sensitive files. The denylist omits common credential files including .git-credentials, .netrc, .pgpass, .kube/config, .docker/config.json, and .gnupg, enabling an authenticated administrator or API-token holder to copy these files into the workspace and read them via the file API. No public exploit code or CISA KEV listing exists at time of analysis, but the Docker tag suggests this is relevant in containerized deployments where host-mounted credential files may be accessible.

Information Disclosure Docker Siyuan
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated access to the self-hosted HTTP transport of DeepSeek MCP Server (versions 1.4.2-1.7.x) allows any network-reachable client to initialize a valid MCP session, enumerate server tools, and invoke them without credentials - including `deepseek_chat`, which silently consumes the server operator's `DEEPSEEK_API_KEY`. Default Docker deployments expose port 3000 in HTTP mode out of the box, maximizing the attack surface for any container running on a network-accessible host. No public exploit has been identified at time of analysis, though the GitHub advisory references reproduced testing confirming the full bypass against commit `5e1302171e99`.

Authentication Bypass Docker Deepseek Mcp Server
NVD GitHub
CVSS 7.5
HIGH POC PATCH This Week

Boolean-based blind SQL injection in YesWiki's public Bazar entry-listing API allows unauthenticated attackers to read arbitrary database contents by abusing numeric query/queries filters. Because numeric field values are escaped with mysqli_real_escape_string but inserted into the SQL statement without quotes or numeric validation, injected boolean expressions (e.g. '100 OR (SELECT COUNT(*) FROM yeswiki_users)>0') are evaluated by the database, turning the public endpoints into a data-exfiltration oracle. A detailed, self-contained proof-of-concept is published in the advisory; a vendor patch (commit f3b0dd0) is available, though the issue is not listed in CISA KEV.

PHP Oracle SQLi +1
NVD GitHub
CVSS 8.2
HIGH POC PATCH This Week

Signature-verification bypass in YesWiki (v4.6.5 and earlier, ActivityPub-federated Bazar forms) lets an unauthenticated remote attacker forge a valid ActivityPub actor and have Create/Update/Delete activities processed as if properly signed. The flaw stems from HttpSignatureService::verifySignature() using a loose boolean check (!openssl_verify(...)) that treats openssl_verify()'s -1 internal-error return as success. A detailed proof-of-concept exists (publicly available exploit code exists) demonstrating full CRUD on Bazar entries; the issue is not in CISA KEV and no EPSS score was provided.

CSRF Jwt Attack SSRF +4
NVD GitHub
HIGH POC PATCH This Week

{{ 7 * 7 }} rendering as 49, escalated to an interactive reverse shell); this vulnerability is not in CISA KEV and there is no evidence of active exploitation.

RCE PHP Ssti +1
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Ruflo (an agent meta-harness for Claude Code and Codex) before 3.16.3 arises because the default docker-compose deployment exposes the MCP bridge's POST /mcp and POST /mcp/:group endpoints with no authentication. A network attacker can send a JSON-RPC tools/call to the terminal_execute tool to gain an interactive shell inside the bridge container, exfiltrate provider API keys, and tamper with AgentDB learning-store patterns. Rated CVSS 10.0 with a scope change; no public exploit identified at time of analysis, and it is not in CISA KEV.

Command Injection Docker
NVD GitHub
HIGH POC PATCH This Week

Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.

Kubernetes Hashicorp SSRF +7
NVD GitHub
HIGH POC PATCH This Week

Root-privileged arbitrary directory creation and file write affects Note Mark (self-hosted notes application) versions <= v0.19.4, arising because book and note slug validation uses the unanchored huma OpenAPI pattern '[a-z0-9-]+', letting a low-privilege authenticated user store a path-traversal slug such as '../../../../etc/cron.d/x'. When an administrator later runs the 'note-mark migrate export' or 'export-v1' CLI (routinely as root in Docker), the exporter joins the raw slug into the output path and writes '_index.md' outside the export directory, enabling escalation to code execution as root. Publicly available exploit code exists (a version-pinned Go reproducer plus an end-to-end Docker walkthrough); this is the unpatched sibling of GHSA-g49p-4qxj-88v3 and is not listed in CISA KEV.

RCE OpenSSL Docker
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.

Kubernetes Python Denial Of Service +1
NVD GitHub
CVSS 3.1
LOW PATCH Monitor

Open redirect in waku's `unstable_redirect()` server-side router helper allows a network attacker to redirect victims' browsers to arbitrary external domains - including phishing sites for credential harvesting and OAuth token theft - by injecting a malicious `location` string into any waku route that passes user-controlled query parameters to the function. The vulnerability affects waku 1.0.0-beta.0 across all supported runtime adapters (Node.js, Cloudflare Workers, Vercel Edge, Deno), as the reflection path in `handler.ts` is shared. A dynamic proof-of-concept was confirmed by the reporter in two independent Docker-based runs against commit 8e9f542; no vendor-released patch is confirmed at time of analysis, though a v1.0.0-beta.1 release tag appears in advisory references.

Node.js Open Redirect Docker
NVD GitHub
CVSS 10.0
CRITICAL POC PATCH Act Now

OS command injection in Nuclio (serverless platform) versions <= 1.15.27 lets attackers run arbitrary shell commands as root inside Kubernetes CronJob pods by submitting a function with a crafted cron trigger. The controller concatenates unsanitized `event.headers` keys and `event.body` values into a `/bin/sh -c` curl string; a header key containing a double-quote breaks quoting, and a body containing `$()` triggers command substitution (strconv.Quote does not escape it). Because the Nuclio Dashboard API is unauthenticated in its default configuration, this is remotely reachable; no public exploit is identified in KEV, though a detailed, dynamically-verified PoC accompanies the advisory.

Python Kubernetes Microsoft +3
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Container-to-host sandbox escape in HashiCorp Nomad and Nomad Enterprise lets an authenticated job submitter using the Docker task driver bind-mount an arbitrary host path into their container even when volume bind mounts are administratively disabled, enabling read and write access to files on the underlying host. The scope-changing flaw (CVSS 3.1 8.7) affects the Community and Enterprise editions and is fixed in Nomad 2.0.4 (CE), and Enterprise 2.0.4, 1.11.8, and 1.10.14. There is no public exploit identified at time of analysis and it is not on CISA KEV.

Hashicorp Information Disclosure Docker
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Host namespace escape in HashiCorp Nomad and Nomad Enterprise lets an authenticated job submitter bypass the allow_privileged control for the Docker task driver, launching containers in host PID/network/IPC namespaces to read data from the host or co-located workloads on the same client node. The flaw stems from missing authorization enforcement (CWE-862) and carries a CVSS 7.7 with a changed scope, reflecting cross-tenant impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Hashicorp Docker +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authentication bypass in Portainer Community Edition (2.39.0-2.39.3 and 2.40.0 through 2.42.x) lets an unauthenticated network attacker seize full administrative control of a freshly deployed, uninitialized instance. During the five-minute post-deployment setup window the /api/restore and /api/users/admin/init endpoints stay reachable without credentials, so an attacker who wins the race can create the first admin account or restore a crafted backup and take over the platform along with every Docker, Swarm, Kubernetes and ACI environment it manages. No public exploit identified at time of analysis and it is not on CISA KEV, but the fix is available in 2.39.4 and 2.43.0.

Authentication Bypass Kubernetes Docker +1
NVD GitHub VulDB
CVSS 7.7
HIGH POC This Week

Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.

Python Path Traversal Microsoft +3
NVD GitHub
CVSS 9.6
CRITICAL POC Act Now

Cross-namespace privilege escalation in goploy (zhenorzz/goploy through 1.17.5 and develop HEAD) lets any authenticated user holding the low-privilege `manager` role in their own namespace read, overwrite, plant, or delete project files in ANY other tenant's project, and rewrite any project's git remote URL, because the `/project/addFile`, `/project/editFile`, `/project/removeFile`, and `/project/edit` handlers act on body-supplied project/file row ids without verifying the target belongs to the caller's namespace. The rewritten git remote escalates to remote code execution on the next deploy, when goploy runs `git remote set-url origin <attacker-url>` and pulls attacker-controlled code under the goploy service account. A detailed proof-of-concept exists demonstrating all four primitives against the published Docker image, though no active exploitation has been reported.

Authentication Bypass Docker
NVD GitHub
HIGH POC PATCH This Week

Authenticated OS command execution in EGroupware allows an administrator to escalate from web-application access to arbitrary shell commands as the web server user (typically www-data). The flaw lives in the eTemplate engine's Widget::expand_name(), where widget attribute values are passed into a PHP eval() with only double-quotes escaped, leaving backtick shell-execution operators intact; an admin uploads a malicious .xet template to the /etemplates VFS mount to trigger it. A detailed proof-of-concept is published in the vendor's GitHub Security Advisory (publicly available exploit code exists), though there is no evidence of active exploitation.

Command Injection PHP RCE +1
NVD GitHub
HIGH PATCH This Week

Path traversal in XWiki running on Jetty 12+ lets remote users read arbitrary files the Jetty process can access by sending doubly URL-encoded '../' sequences to the skin resource endpoint (e.g. /xwiki/bin/skin/..%252f/..). Depending on how deep the webapp sits below root, this exposes both in-webapp secrets such as WEB-INF/xwiki.cfg and Hibernate configuration, and out-of-webapp OS files like /etc/passwd. No public exploit or active exploitation is tracked, but the vendor advisory (GHSA-qj4x-9g63-25g6) itself publishes working request URLs, so weaponization is trivial.

Atlassian Information Disclosure Tomcat +1
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

OS command injection in Coolify's database service configuration API allows authenticated administrators to execute arbitrary shell commands within Docker container contexts by embedding shell metacharacters into database credential fields. All Coolify versions prior to 4.0.0-beta.474 are affected, covering deployments managing Redis, KeyDB, Dragonfly, ClickHouse, PostgreSQL, and MySQL services. No public exploit code has been identified at time of analysis, and the CVSS PR:H requirement confines the attack surface to already-privileged admin accounts, positioning this as a post-compromise escalation risk rather than an initial access vector.

Command Injection Docker Coolify
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command injection in Coolify, the open-source self-hostable server/application/database management PaaS, allows an authenticated user with permission to edit application settings (versions prior to 4.0.0-beta.469) to run arbitrary commands on the managed host. The flaw lives in the executeInDocker() helper, which wraps user-controlled values in single quotes without escaping embedded quotes, letting an attacker break out of the quoted shell context during deployments and escape the intended Docker container confinement. No public exploit identified at time of analysis; this is not listed in CISA KEV.

Command Injection Docker Coolify
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command injection in Coolify (self-hosted server/app management platform) before 4.0.0-beta.471 lets an authenticated user embed shell metacharacters in a LocalPersistentVolume storage name, which is interpolated unescaped into docker volume shell commands and executed on managed servers when the associated resource is deleted. Rated CVSS 8.8 (CWE-78), it yields arbitrary command execution on downstream hosts controlled by the Coolify instance. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix is confirmed in release 4.0.0-beta.471.

Command Injection Docker Coolify
NVD GitHub
LOW Monitor

Stored cross-site scripting in Kiwi TCMS versions prior to 16.1 allows authenticated users to inject arbitrary JavaScript into the `TestCase.extra_link` and `TestPlan.extra_link` fields, which are rendered verbatim to all subsequent viewers. Official Docker-based deployments are substantially protected by a `Content-Security-Policy` header that blocks inline script execution, but customized deployments that alter default middleware or security settings remain fully exploitable. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

XSS Docker
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Privilege escalation to root command execution in Coolify (self-hosted PaaS) prior to 4.0.0-beta.471 lets any authenticated user holding the lowest-privilege team 'member' role run arbitrary OS commands as root on every server Coolify manages. The flaw lives in the GetLogs Livewire component, whose $container public property is unsanitized and lacks the #[Locked] attribute, so any team member can tamper with it over the Livewire wire protocol. There is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but the low authentication barrier and full CIA impact make it high priority for any multi-tenant Coolify deployment.

Command Injection Docker Coolify
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command injection in Coolify (self-hosted server/app/database management platform) versions 4.0.0-beta.471 through 4.0.0-beta.473 lets an authenticated team member run arbitrary shell commands on the underlying host. A regression weakened the SHELL_SAFE_COMMAND_PATTERN allowlist so that ampersands were permitted in custom Docker Compose build, start, and pre/post-deployment command fields, enabling command chaining. The issue is fixed in 4.0.0-beta.474; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Command Injection Docker Coolify
NVD GitHub
EPSS 0% CVSS 3.8
LOW PATCH Monitor

OS command injection in Coolify's settings module allows a highly privileged attacker in a development environment to execute arbitrary shell commands on the host server by injecting metacharacters into the dev_helper_version field, which is passed unsanitized into a Docker build command. All Coolify releases prior to 4.0.0-beta.474 are affected. No public exploit code exists and no CISA KEV listing has been issued; the provided CVSS score of 3.8 (Low) accurately reflects the highly constrained exploitation prerequisites, though the underlying command injection class warrants upgrade regardless.

Command Injection PHP Docker +1
NVD GitHub
LOW PATCH Monitor

Arbitrary file write as root via symlink attack in Linuxfabrik Monitoring Plugins affects any deployment using the provided sudoers configuration. The monitoring plugins create SQLite databases at predictable, static paths under /tmp; an attacker who has already gained access to the nagios service account can pre-place symlinks at those paths, and when a monitoring script is subsequently invoked via sudo, it follows the symlink and writes a SQLite database to any attacker-chosen path on the filesystem. A proof-of-concept is included in the GitHub Security Advisory GHSA-r35r-fpx2-jgr4, and no CISA KEV listing or CVSS score has been assigned at time of analysis.

Denial Of Service Docker
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbitrary commands as the container runtime user. The server passes request-supplied browser_config.extra_args directly into Chromium's launch arguments, enabling argument injection (CWE-88) of a malicious child-process launcher combined with --no-zygote. Because the Docker API is unauthenticated by default and CVSS is scored 10.0, a single crafted HTTP request achieves full container compromise; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Docker Google +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-side request forgery in Crawl4AI's Docker API server (versions prior to 0.9.0) lets a remote unauthenticated client coerce the server into fetching attacker-chosen internal, private, or link-local URLs and streaming the response body back. The SSRF destination allowlist check was enforced on the non-streaming /crawl path but omitted from the streaming code path, so requests to POST /crawl/stream - or POST /crawl with crawler_config.stream=true - bypass validation entirely. No public exploit identified at time of analysis, but the fix is public in commit 60886d1 and the root cause (a guard applied to one path but not its sibling) is trivial to reproduce.

SSRF Docker Crawl4ai
NVD GitHub
CVSS 8.4
HIGH POC PATCH This Week

Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.

Command Injection Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Sandbox boundary enforcement failure in PentAGI (vxcontrol) versions up to 2.1.0 allows authenticated remote users to break Docker containment controls via the Docker API client component in `backend/pkg/docker/client.go`, enabling limited information disclosure and unauthorized low-impact modifications within the Docker environment. The CVSS 4.0 vector (PR:L, AV:N, AC:L) confirms low-privilege network-reachable exploitation with no user interaction required, though all impact metrics remain Low and no host-level breakout is indicated. No public exploit code exists and this vulnerability is not listed in CISA KEV; an upstream fix is pending as an unmerged GitHub pull request.

Information Disclosure Docker Pentagi
NVD VulDB GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Reverse-proxy authentication bypass in the official Gitea Docker image (versions up to and including 1.26.2) allows any source IP to impersonate arbitrary users because the image ships with REVERSE_PROXY_TRUSTED_PROXIES=* by default. When an operator enables reverse-proxy header authentication (e.g. X-WEBAUTH-USER), the wildcard trust list means Gitea accepts those identity headers from any client rather than only from a trusted front-end proxy, granting full account takeover including administrator access. No public exploit has been identified at time of analysis, and the issue is patched in Gitea 1.26.3.

Authentication Bypass Gitea Docker +1
NVD GitHub
LOW POC PATCH Monitor

Unauthenticated OAuth client secret disclosure in Dragonfly Manager (dragonflyoss/dragonfly <= v2.4.3) exposes GitHub and Google OAuth client_secret values to any host that can reach the Manager REST API port. The GET /api/v1/oauth and GET /api/v1/oauth/:id handlers omit the jwt.MiddlewareFunc() and RBAC middleware enforced on every other admin route group in the same router file - including the write methods (POST, DELETE, PATCH) in the same /oauth group - and the models.Oauth struct serializes ClientSecret without redaction. A detailed proof-of-concept with captured output is included in the advisory; no CISA KEV listing is present and EPSS data is unavailable.

Google Authentication Bypass Redis +2
NVD GitHub
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Python Path Traversal +2
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Path traversal in Langroid's ReadFileTool and WriteFileTool lets a tool caller escape the configured curr_dir workspace boundary by supplying '../' sequences in file_path, because the tools only chdir into curr_dir without resolving and enforcing that the final path stays inside it. Applications that expose these file tools to an LLM agent or user-influenced tool calls can have arbitrary files read or written outside the intended project/sandbox directory, exposing secrets, config, and source files or corrupting files elsewhere on the host. Publicly available exploit code exists (a working PoC is included in the report demonstrating both read and write escapes), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Python Path Traversal Docker
NVD GitHub
CVSS 9.8
CRITICAL POC PATCH Act Now

Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.

Authentication Bypass Python Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL Act Now

Unauthenticated OS command injection in Notifiarr Dockwatch through version 0.6.567 lets remote attackers run arbitrary shell commands on the host and achieve full compromise, since default deployments mount the Docker socket. The root cause is an Execution-After-Redirect flaw (CWE-698) where loader.php redirects unauthenticated users but fails to call exit(), allowing the attacker to seed the required session flag and then reach shell_exec() in ajax/compose.php with attacker-controlled input. The CVSS 4.0 base score is 9.2 (VC/VI/VA all High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor advisory and upstream fix exist.

Command Injection PHP Docker +1
NVD GitHub
CVSS 8.1
HIGH POC PATCH This Week

Apify API token exfiltration in @apify/actors-mcp-server 0.10.7 lets a remote attacker steal a victim's bearer credential via URL authority injection (CWE-918/SSRF). Because getActorMCPServerURL() naively concatenates a trusted standby base URL with an attacker-controlled webServerMcpPath from an Actor definition, an Actor published with a value like '@attacker.example/mcp' causes the WHATWG URL parser to resolve the outbound connection to the attacker's host, and connectMCPClient() unconditionally forwards the victim's 'Authorization: Bearer <APIFY_TOKEN>' header there. Publicly available exploit code exists (a Docker-based PoC that captures the token on an attacker HTTPS server); no active exploitation is confirmed.

Python SSRF OpenSSL +3
NVD GitHub
LOW PATCH Monitor

Unvalidated bearer realm URL handling in oras-go v2 ≤ 2.6.0 enables two distinct attack primitives against users who run oras operations against a malicious, compromised, or man-in-the-middle'd registry: server-side request forgery (SSRF) to internal network endpoints including cloud instance metadata services, and TLS downgrade that exposes user credentials in plaintext. The OCI distribution spec legitimately allows cross-host realm references for split-auth deployments (e.g., Docker Hub's auth.docker.io pattern), but oras-go failed to block private IP literals, loopback addresses, and scheme downgrades from https to http - patterns that are never legitimate under any valid registry trust model. No active exploitation has been confirmed (not in CISA KEV), and a patch is available in v2.6.1.

SSRF Microsoft Docker
NVD GitHub
CVSS 5.3
MEDIUM PATCH This Month

{id}/release` still call `json.NewDecoder(r.Body)` with no body-size cap, allowing a remote unauthenticated attacker to drive process RSS from ~8 MB baseline to ~450 MB with a single 16 MB request (~28× amplification), with no memory recovery between requests. A working proof-of-concept with exact reproduction steps is published in the advisory; no KEV status confirmed at time of analysis.

Denial Of Service Docker
NVD GitHub
CVSS 4.8
MEDIUM PATCH This Month

Prototype pollution in @hey-api/openapi-ts affects all versions through 0.97.2, allowing remote unauthenticated attackers to substitute the prototype chain of the returned params slot object by passing a crafted key such as '$query___proto__' through any application that forwards user-supplied parameters to a generated SDK method. The flaw resides in a runtime template (dist/clients/core/params.ts) that is copied verbatim into every generated SDK, meaning every downstream npm package regenerated from this tool carries the vulnerable code - confirmed affected consumers include @opencode-ai/sdk and @trigger.dev/sdk. A functional proof-of-concept is publicly available; exploitation is not confirmed as actively exploited and is absent from CISA KEV.

Node.js Docker Code Injection +1
NVD GitHub
LOW POC PATCH Monitor

{table}/{digest}`) allows any authenticated user to read, write, or delete blobs across all blob tables, entirely circumventing the GRANT-based access control that the SQL path correctly enforces. Verified against CrateDB 6.2.7 and present since the blob HTTP handler was introduced, `io.crate.protocols.http.HttpBlobHandler` authenticates the connecting user but never invokes `AccessControl`, making blob operations permissible to any valid credential holder regardless of table-level privileges. A complete end-to-end Docker PoC is included in the report demonstrating both unauthorized read (HTTP 200) and unauthorized delete (HTTP 204) while the SQL path correctly returns a permission error for the same user; no KEV listing and no EPSS data are available at time of analysis.

Authentication Bypass Oracle Java +1
NVD GitHub
EPSS 1% CVSS 7.0
HIGH PATCH This Week

OS command injection in AWS aws-cdk-lib lets an actor who controls a dependency version string in a project's package.json run arbitrary commands on the host executing the CDK toolchain. The flaw lives in the OsCommand helper of the NodejsFunction Docker bundling pipeline, which passes unsanitized version strings into a shell during nodeModules installation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; AWS has released a fixed version (v2.260.0).

Command Injection Docker Aws Cdk
NVD GitHub
HIGH POC PATCH This Week

Cross-site scripting in the wetty web-terminal client (npm package `wetty`, default configuration) lets any writer of content a victim renders inject keystrokes into that victim's live SSH session. The client base64-decodes an attacker-controlled filename from the documented file-download escape sequence (`\x1b[5i<name>:<content>\x1b[4i`) and interpolates it raw into a Toastify toast with `escapeMarkup:false`, so script runs in the wetty origin and can call `window.wetty_term.input()` to type commands and read the terminal buffer. A detailed proof-of-concept is published in the GitHub Security Advisory (GHSA-p26j-h7wj-r568), so publicly available exploit code exists; there is no public evidence of active exploitation at time of analysis.

XSS Docker
NVD GitHub
CVSS 7.4
HIGH POC PATCH This Week

Server-Side Request Forgery in auth-fetch-mcp v3.0.1 lets an attacker who controls the url argument of the auth_fetch or download_media MCP tools reach loopback and private-range services that the built-in assertSafeUrl() guard is supposed to block. The bypass works by encoding the target as an IPv4-mapped IPv6 literal (e.g. http://[::ffff:127.0.0.1]:PORT/), which Node's WHATWG URL parser normalizes to ::ffff:7f00:1 so the private-IP check falls through. A detailed, reproduced proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no vendor-released patch identified at time of analysis. CVSS 3.1 is 7.4 (High); EPSS was not provided.

Node.js SSRF Docker +1
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code to the /execute_js endpoint, which runs it inside the server's Chromium browser context launched with --disable-web-security. Because the browser's same-origin and CORS protections are disabled, attacker-controlled JavaScript can pivot into server-side request forgery against internal services and metadata endpoints. No public exploit has been identified at time of analysis, and the CVSS 4.0 base score is 9.2 (critical), though the vector's high attack complexity and present attack requirements indicate exploitation is not fully trivial.

Code Injection SSRF Docker +2
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Authentication bypass in Presenton's bundled MCP server exposes server and Docker deployments to unauthenticated remote exploitation via the unprotected /mcp endpoint. When operators configure session authentication using AUTH_USERNAME/AUTH_PASSWORD, nginx enforces access control on all paths except /mcp, which is absent from the auth_request gate - and the MCP server compounds this by auto-minting valid internal session tokens for the configured user on any incoming request. An unauthenticated remote attacker can therefore invoke MCP tools such as generate_presentation as if fully authenticated, consuming the operator's LLM API keys and writing arbitrary presentations to the instance. A publicly available proof-of-concept exists; no active exploitation confirmed in CISA KEV.

Authentication Bypass Nginx Docker +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Authenticated command injection in Coolify's CA Certificate management feature (all versions prior to 4.0.0-beta.464) lets any logged-in user inject arbitrary OS commands that execute as the configured SSH user on a managed server. Because Coolify requires that SSH user to be root or a docker-group member, successful exploitation yields full compromise of the managed host and every Docker container it runs. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and minimal privilege requirement make it a high-priority patch for any multi-user Coolify instance.

Command Injection Docker Coolify
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

{$command}'` invocation without sanitizing single quotes, and the user-controlled `docker_compose_custom_build_command` and `docker_compose_custom_start_command` fields are interpolated directly into that shell string. No public exploit has been identified at time of analysis, but the CVSS scope-change flag (S:C) confirms the critical container-to-host escape dimension, and the injection technique is well-understood - making the practical impact substantially higher than the reported 6.6 base score implies.

Command Injection Docker Coolify
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

Container escape in Gitea act_runner (Docker backend, through act 0.262.0) lets an authenticated user with workflow-execution rights break out to the host as root even when privileged mode is disabled. The runner passes a workflow's container.options string straight into the Docker job container's HostConfig and only forces the Privileged flag off, leaving dangerous options like --pid=host, --cap-add, and --security-opt intact. Publicly available exploit code exists (reported by VulnCheck), though it is not listed in CISA KEV.

Privilege Escalation Gitea Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Kestra orchestration platform before 1.0.45 and 1.3.21 lets anonymous attackers fully compromise the host. The REST API authentication filter treats any request path ending in /configs as the public instance-config endpoint, so an attacker appending the literal segment configs (e.g. to flow-create or execution-trigger routes) bypasses Basic-Auth, creates a flow with a Shell/Process task, and executes commands as root inside the container; with the default docker-compose mounting /var/run/docker.sock, this pivots to the host Docker daemon. No public exploit identified at time of analysis, but the technique is fully described in the vendor advisory and is trivially reproducible.

Code Injection Docker RCE +1
NVD GitHub VulDB
CVSS 5.5
MEDIUM POC PATCH This Month

Credential exposure in turso-cli versions 1.0.25 and earlier allows any local user on the same host to read the Turso platform JWT stored world-readable at mode 0o644 in settings.json, granting full access to all Turso organizations the victim belongs to. The root cause is turso-cli's failure to override Viper's insecure default configPermissions before writing credentials - a deviation from the explicit 0o600 baseline established by comparable CLIs including gh, aws, docker, and gcloud. A proof-of-concept demonstrating the 0o644 mode is included in the advisory; no active exploitation is listed in CISA KEV.

Privilege Escalation Apple Docker
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardcoded Rails secret (ENV SECRET_KEY_BASE=OVERWRITE_ME). Because the application uses cookies_serializer = :marshal, any logged-in user who knows this deterministic key can forge a signed cookie containing a malicious Marshal payload that is deserialized when reaching the /my/two_factor_devices cookie reader, yielding code execution on the server (CVSS 9.9, scope-changed). At the time of analysis there is no public exploit identified and the issue is not in CISA KEV, but the predictability of the default key makes exploitation straightforward for anyone running an unmodified image.

Deserialization Docker Openproject
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Container-to-host command execution in Dokku's cron plugin (versions prior to 0.38.7) lets an actor who can control an application's app.json schedule break out of the Docker container and run arbitrary commands on the host as the privileged Dokku user. Because the cron command was interpolated into a shell-evaluated line, special characters such as ';' or '>' were interpreted on the host rather than confined to the container, yielding a scope-changing escape (CVSS 9.9). No public exploit has been identified at time of analysis, but the root cause and fix are fully documented in the vendor advisory and patch.

Command Injection Docker Dokku
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file write in Dokku before 0.38.2 lets an attacker with deploy-level access escalate to full shell access on the host. The git:from-archive and certs:add commands extract attacker-supplied tar/zip archives without sanitizing member paths, and because GNU tar creates and then follows symlinks during extraction, a crafted archive can plant files anywhere the dokku user can write - most damagingly ~/.ssh/authorized_keys. There is no public exploit identified at time of analysis and CISA SSVC records exploitation as none, but the technical impact is rated total.

Information Disclosure Docker Dokku
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

OS command execution on the Dokku host is possible through the openresty-vhosts plugin in versions prior to 0.38.2, where custom OpenResty include filenames from an app's git repository are interpolated unescaped into a single-quoted shell string that is later run through eval. An attacker who can deploy a Dokku app with the openresty proxy enabled can plant a file whose name contains a single quote to break the quoting and inject a command substitution, executing arbitrary commands as the dokku user on the next deploy. There is no public exploit identified at time of analysis and it is not in CISA KEV, though the upstream advisory and a security regression test document the mechanism precisely.

Code Injection Information Disclosure Docker +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Insufficiently protected credential storage in Dokku prior to 0.38.2 exposes git authentication secrets stored in $DOKKU_ROOT/.netrc to any local user who can traverse the Dokku home directory. The git:auth command pre-creates the .netrc file using bash's touch, which applies the process umask (0644) before the netrc binary runs - defeating the netrc binary's own 0600 enforcement because the file already exists at write time. No public exploit code exists and the vulnerability is not in CISA KEV, but the confidentiality impact is rated High given that plaintext git credentials (hostnames, usernames, passwords) are directly readable without any special tooling.

Information Disclosure Docker Dokku
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

OS command injection in Dokku (the Docker-powered self-hosted PaaS) prior to version 0.38.2 allows an authenticated user with git push access to execute arbitrary shell commands as the privileged dokku user. The flaw stems from a permissive app-name validation regex that accepts shell metacharacters, which are then interpolated unquoted into a generated bash pre-receive hook; a semicolon in the app name terminates the intended command and runs attacker-supplied commands on git push. There is no public exploit identified at time of analysis, but the fix is confirmed in 0.38.2 and the underlying mechanics are fully documented in the GitHub advisory and PR #8590.

Command Injection Docker Dokku
NVD GitHub
CVSS 9.9
CRITICAL POC PATCH Act Now

Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.

Python Authentication Bypass SSRF +2
NVD GitHub
CVSS 4.8
MEDIUM POC PATCH This Month

JWT algorithm confusion in Netflix Lemur 1.9.0 allows an attacker to control which signing algorithm the server trusts by supplying an arbitrary alg value in the unverified token header, which is passed directly to pyjwt.decode() instead of a server-pinned allowlist. On current PyJWT 2.x deployments the standalone impact is limited to audit-log blinding and a durable algorithm-downgrade primitive; full account takeover requires chaining with a separate LEMUR_TOKEN_SECRET disclosure vulnerability, after which a forged HS256 admin JWT yields HTTP 200 with role=admin. A public proof-of-concept walkthrough exists (asciinema); no active exploitation is confirmed in CISA KEV.

SSRF Jwt Attack Python +1
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Reverse-proxy takeover in Appsmith versions prior to 2.1 lets an authenticated low-privileged user abuse server-side request forgery to reach the bundled Caddy admin API, which ships with no authentication and listens on 0.0.0.0:2019 inside the container. By forcing the Appsmith server to issue a POST /load to that internal endpoint, the attacker rewrites the live Caddy configuration and seizes control of the reverse proxy that fronts the application. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the vendor-confirmed CWE-749 exposure carries a 9.9 CVSS rating.

SSRF Docker Appsmith
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Authenticated command execution in Appsmith versions prior to 2.1 lets any administrator run arbitrary OS commands inside the application's Docker container. The bundled supervisord exposes an XML-RPC management interface on port 9001, which Appsmith's Caddy reverse proxy publishes externally at /supervisor/* on the public ingress; combined with the supervisord password being readable through GET /api/v1/admin/env, an admin can authenticate to supervisord and abuse twiddler.addProgramToGroup to spawn programs that execute shell commands. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV. Fixed in 2.1.

Information Disclosure Docker Appsmith
NVD GitHub VulDB
EPSS 0% CVSS 1.1
LOW Monitor

Stored XSS in the AWS API key store component of Thinkst Applied Research Canarytokens allows a low-privileged attacker who knows a token's random identifier to inject persistent malicious scripts that execute in a victim's browser when they view the affected token page. Exploitation is constrained by high attack complexity (AC:H), a prerequisite attack requirement (knowledge of a random identifier), low-privilege authentication, and active user interaction - reflected in an extremely low CVSS 4.0 base score of 1.1. No active exploitation is confirmed; however, the CVSS 4.0 vector includes E:P, indicating proof-of-concept exploit code exists.

XSS Docker Canarytokens
NVD GitHub VulDB
CVSS 5.3
MEDIUM PATCH This Month

Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.

Docker Authentication Bypass Python +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Command injection in mise's GitHub credential resolver executes attacker-controlled shell commands on the victim developer's machine when a malicious `.mise.toml` is placed in a repository and no higher-priority GitHub token environment variable is set. Versions v2026.3.15 through v2026.3.17 (and all releases up to < 2026.6.4) pass `github.credential_command` from untrusted local project config directly to `sh -c` without any trust verification. A working proof-of-concept is confirmed per GHSA-29hf-rm4x-xxph on Docker linux-arm64; no CISA KEV listing at time of analysis, but POC availability elevates practical risk above the moderate CVSS base score.

Command Injection Docker
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or JSON-body REST collection. A detailed working POC is published in the advisory; the issue is not in CISA KEV and EPSS is low (0.43%, 34th percentile), so this is publicly demonstrated but not yet confirmed as actively exploited.

SQLi Canonical Docker +4
NVD GitHub VulDB
EPSS 1% CVSS 10.0
CRITICAL POC PATCH Act Now

Remote code execution in Gogs self-hosted Git service before 0.14.3 allows unauthenticated attackers (where self-registration is enabled) to abuse unsanitized organization names containing '../' sequences to write Git repository files outside the intended storage root, then overwrite a repository's hooks/update script and trigger arbitrary command execution as the git user. The flaw carries a CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C) rating, and a fully working public proof-of-concept is published alongside the GHSA advisory, though no CISA KEV listing or EPSS data is provided in the input.

Docker RCE PostgreSQL +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored DOM-based XSS in Gogs versions prior to 0.14.3 allows any repository user with write access to inject JavaScript via a crafted milestone name, which executes in another user's browser when they open the New Issue page and interact with the milestone dropdown. The flaw is an incomplete fix for the earlier GHSA-vgjm-2cpf-4g7c, which patched view_content.tmpl but missed the identical sink in new_form.tmpl. A working PoC is published in the GitHub advisory, but no public exploit identified at time of analysis in CISA KEV or EPSS-tracked sources.

XSS Docker
NVD GitHub
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.

Command Injection Docker Apple +5
NVD GitHub VulDB
EPSS 2% CVSS 8.7
HIGH POC PATCH This Week

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update permissions) to abuse the Custom MCP Server feature and run arbitrary OS commands on the host. The validateCommandFlags blocklist and validateArgsForLocalFileAccess regex are incomplete - for example 'docker build' is permitted and 'npx --yes' is permitted while only '-y' is blocked - letting attackers point Flowise at a hostile Dockerfile or local script to achieve full host compromise. Publicly available exploit code exists (the GHSA advisory ships a reproduction), though there is no public exploit identified at time of analysis in CISA KEV.

Command Injection Docker Flowise
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary file read in Budibase self-hosted server (@budibase/server <= 3.39.0) allows an authenticated workspace builder to exfiltrate any file readable by the server process by uploading a crafted PWA zip containing a symlink entry. Because the default `budibase/budibase:latest` Docker image runs Node as root, attackers can retrieve `/data/.env` (JWT_SECRET, INTERNAL_API_KEY, MinIO/Redis/CouchDB credentials, DATABASE_URL) and even `/etc/shadow`, enabling JWT forgery and full global-admin takeover. Publicly available exploit code exists - a complete working PoC is published in the GHSA advisory - though there is no public exploit identified at time of analysis beyond that disclosure write-up.

Docker CSRF PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in vLLM versions prior to 0.22.1 allows attackers to backdoor production LLM inference deployments through a dependency confusion attack in the project's Dockerfile. Because flashinfer-jit-cache was pulled via --extra-index-url with UV_INDEX_STRATEGY=unsafe-best-match while the name remained unregistered on PyPI, any attacker who claimed the name on PyPI with a higher version would have their code executed as root during every Docker build. No public exploit identified at time of analysis, but the supply-chain primitive is well understood and trivially weaponizable.

Docker RCE Vllm +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.

Kubernetes Docker RCE +3
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python +3
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.

Docker Python Privilege Escalation +3
NVD GitHub VulDB
CVSS 7.5
HIGH PATCH This Week

Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.

Apache Docker Information Disclosure
NVD GitHub
Page 1 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy