Docker

Unauthorized PII disclosure in Craft CMS GraphQL API allows cross-scope address enumeration via missing authorization check. A GraphQL API token scoped to any single low-privilege user group can read all addresses system-wide, including PII from restricted user groups (full names, home addresses, corporate addresses, tax IDs, GPS coordinates). The Address element resolver bypasses schema scope filtering that all other element resolvers enforce. Vendor-released patch: versions 5.9.18 and 4.17.12. Publicly available exploit code exists (detailed PoC in GitHub advisory). Affects all Craft CMS Pro deployments (v4.0.0+) using headless GraphQL APIs with user group scoping-a standard deployment pattern for Next.js/Nuxt/Gatsby frontends.

The ciguard static analysis container image (versions 0.1.0-0.8.1) runs as root due to a missing USER directive in the Dockerfile, creating a privilege-escalation amplification risk for future container-runtime escape vulnerabilities. This is a defence-in-depth gap rather than a directly exploitable vulnerability; it reduces the impact of hypothetical escapes (such as runc CVE-2024-21626) from host-root compromise to non-root user compromise. Vendor-released patch in v0.8.2 adds a dedicated non-root ciguard user and USER directive, verified by container inspection and automated regression testing in v0.8.3.

Arbitrary local file disclosure in changedetection.io allows remote unauthenticated attackers to read sensitive system files via crafted backup archives. When a malicious backup ZIP is uploaded and restored, the application trusts attacker-controlled paths in the history.txt file, enabling reads of files like /etc/passwd, environment variables, application secrets, and mounted Docker volumes through the Preview UI or history API. This vulnerability (CVSS 7.5) affects all versions through 0.54.10, with fix available in 0.55.1. No active exploitation (KEV) confirmed, but a detailed proof-of-concept exists demonstrating the complete attack chain from backup modification to file exfiltration. EPSS data not available, but the combination of network attack vector, no authentication requirement, and public exploit code makes this a priority for immediate patching.

Server-Side Request Forgery (SSRF) in open-webSearch's fetchWebContent MCP tool enables remote unauthenticated attackers to fetch arbitrary private-network URLs and receive full response bodies. Two defects in the `isPrivateOrLocalHostname` validator combine to allow bypass: bracketed IPv6 literals (e.g., `[::ffff:7f00:1]`) are never validated because Node's URL.hostname preserves brackets and Node's isIP() returns 0 for bracketed strings, and DNS resolution is never performed so attacker-controlled hostnames resolving to RFC1918 addresses pass unchecked. When deployed with HTTP transport enabled (documented configuration, active in Docker image), the MCP server binds to 0.0.0.0:3000 with CORS origin='*' and no authentication, exposing the vulnerable tool to any network attacker. Fixed in version 2.1.7. No public exploit identified at time of analysis, but vendor-supplied proof-of-concept demonstrates full exploit chain against AWS EC2 metadata and localhost services.

Path traversal in MinIO's ReadMultiple internode storage-REST endpoint allows authenticated cluster peers or root-credential holders to read arbitrary files from the host filesystem outside configured drive roots. Distributed-erasure (multi-node) deployments are affected; single-node standalone deployments are not. The vulnerability exists in all releases from RELEASE.2022-07-24T01-54-52Z through RELEASE.2025-09-07T16-13-09Z and has been fixed as of MinIO AIStor RELEASE.2024-10-23T19-38-07Z (with security patch RELEASE.2026-04-14T21-32-45Z recommended). No public exploit code or active exploitation has been identified at time of analysis.

Unauthenticated remote access to privileged management functions in Network-AI npm package (versions ≤5.1.2) allows attackers to read and mutate orchestrator configuration, enumerate and control agents, create or revoke security tokens, and adjust global budget ceilings. The MCP HTTP transport binds to 0.0.0.0 by default and accepts JSON-RPC tool invocation requests without authentication, session validation, or origin checks. Public exploit code exists demonstrating enumeration of 22 privileged tools and successful mutation of runtime configuration parameters via simple HTTP POST requests. Vendor-released patch: version 5.1.3 available per GitHub advisory GHSA-fj4g-2p96-q6m3.

Prototype pollution read-side gadgets in axios HTTP adapter enable credential injection, request hijacking to attacker-controlled servers, and SSRF against internal Unix sockets when Object.prototype is polluted by co-located dependencies. Five unguarded config properties (auth, baseURL, socketPath, beforeRedirect, insecureHTTPParser) silently inherit polluted values on every outbound HTTP request. Proof-of-concept code demonstrates request redirection and credential exfiltration. Fixed in axios 1.15.2 per GitHub advisory GHSA-q8qp-cvcw-x6jj. CVSS 7.4 (High) reflects network exploitability with high attack complexity; no public exploit identified at time of analysis beyond vendor-provided POC.

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

Authorization bypass in Docker Distribution Registry allows remote clients to delete image tags via the DELETE /v2/<name>/manifests/<tag> endpoint even when the operator has explicitly configured storage.delete.enabled: false. The tag deletion code path in registry/handlers/manifests.go bypasses the deletion authorization check present in digest-based manifest deletion, enabling attackers with network access to cause denial of service by removing tags and disrupting supply chain integrity of registries intended to be immutable.

Remote code execution as root in nginx-ui versions before 2.3.8 via unauthenticated backup restore within 10-minute startup window. Attackers exploit the completely unauthenticated /api/restore endpoint during initial installation to upload malicious backup archives that overwrite app.ini configuration with injected OS commands in TestConfigCmd setting. After automatic application restart, command injection triggers with privileges of the nginx-ui process - typically root in Docker deployments. EPSS data not available; no active exploitation reported but publicly disclosed via GitHub Security Advisory GHSA-4pvg-prr3-9cxr. Patch released in version 2.3.8.

Traefik's errors middleware discloses sensitive HTTP headers including Authorization and Cookie to separate error page services when backends return configured error status codes. Affected versions are Traefik v2.11.43 and earlier, v3.6.14 and earlier, and v3.7.0-rc.0 through v3.7.0-rc.2. The vulnerability allows credentials meant only for backend services to be forwarded to distinct error page infrastructure, expanding exposure across service boundaries. Vendor-released patches are available; actively exploited status not confirmed.

Remote unauthenticated attackers can bypass ExifTool tag blocklist in Gotenberg 8.x via group-prefixed tag names (e.g., 'System:FileName' instead of 'FileName'), enabling arbitrary file renaming, relocation, and permission modification within the container filesystem. One HTTP request exploits this input validation bypass (CWE-20) to circumvent protections from a prior security fix (GHSA-qmwh-9m9c-h36m). The vulnerability affects all metadata-accepting endpoints in Gotenberg's default configuration, which typically runs without authentication. No public exploit code is confirmed, but a detailed proof-of-concept is published in the GitHub advisory (GHSA-62p3-hvxx-fxg4). CVSS 8.2 reflects network vector with no authentication required, though real-world impact depends on container isolation and shared volume configurations.

Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.

Server-Side Request Forgery (SSRF) in n8n-mcp SDK allows authenticated remote attackers to access cloud metadata endpoints and internal network resources via IPv4-mapped IPv6 address bypass. Versions 2.47.4 through 2.47.13 fail to validate IPv6 addresses in the synchronous URL validator (SSRFProtection.validateUrlSync()), enabling attackers who control the n8nApiUrl parameter to bypass RFC1918, localhost, and cloud metadata protections using addresses like [::ffff:169.254.169.254]. The vulnerability is non-blind SSRF returning response bodies to the attacker, and forwards the n8nApiKey in the x-n8n-api-key header to attacker-controlled targets. Confirmed actively exploited (CISA KEV). Vendor-released patch: version 2.47.14. EPSS exploitation probability not provided but risk is elevated given KEV status and availability of exploit code in the GitHub advisory.

Argument injection in Gotenberg v8.30.1 and earlier allows unauthenticated remote attackers to manipulate filesystem operations by embedding newline characters in PDF metadata values. The vulnerability bypasses an incomplete fix from v8.30.1 that sanitized only metadata keys while leaving values unvalidated, enabling injection of ExifTool pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink through the /forms/pdfengines/metadata/write endpoint. Attackers can move files to arbitrary paths (including overwriting /etc/passwd), create symlinks for read/write primitives, and persist data via hard links - all without authentication against default configurations. Vendor-released patch: version 8.31.0. CVSS 10.0 severity reflects the network attack vector (AV:N), no authentication requirement (PR:N), low complexity (AC:L), and scope change (S:C) enabling container escape scenarios. No public exploit identified at time of analysis, though complete PoC reproduction steps are documented in GitHub advisory GHSA-q7r4-hc83-hf2q.

Server-Side Request Forgery in Gotenberg 8.29.1 Docker image enables remote unauthenticated attackers to probe internal networks and trigger POST requests to arbitrary internal/external endpoints via the Gotenberg-Webhook-Url header. CVSS 8.6 High with Changed Scope (S:C) reflects the ability to pivot from the Gotenberg container to internal services. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-5vh4-rgv7-p9g4). Vendor-released patch 8.31.0 implements IP resolution and non-public address blocking to prevent DNS rebinding and RFC1918/link-local targeting.

Gotenberg versions up to 8.30.1 allow Server-Side Request Forgery (SSRF) against internal networks and cloud metadata endpoints via case-variation bypass of webhook and downloadFrom deny-lists. Remote unauthenticated attackers can use uppercase URL schemes (HTTP://, HTTPS://) to circumvent the default case-sensitive regex (^https?://) protecting private IP ranges; Go's net/url.Parse() normalizes schemes to lowercase during connection establishment, completing the bypass. The flaw affects two features added in commit 3f01ca1 (April 2026): webhook callback URLs and downloadFrom file fetching. Vendor-released patch version 8.31.0 available. CVSS 9.1 (Critical) with Changed Scope reflects potential access to instance metadata services (e.g., AWS 169.254.169.254) and internal APIs that return sensitive data in Content-Disposition headers. This is a regression of the pattern previously fixed in CVE-2026-27018 for the Chromium deny-list.

The `BetaLocalFilesystemMemoryTool` in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (`0o666` for files, `0o777` for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. Users on the affected versions are advised to update to the latest version. Claude SDK thanks `lucasfutures` for the report.

Versions of `i18next-http-middleware` prior to 3.9.3 pass the user-controlled `lng` and `ns` values from `getResourcesHandler` directly into `i18next.services.backendConnector.load(languages, namespaces, …)` without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks: - **Filesystem path traversal** when the middleware is paired with `i18next-fs-backend` (or any backend that interpolates `lng` / `ns` into a filesystem path). - **Server-Side Request Forgery (SSRF)** when the middleware is paired with `i18next-http-backend` (or any backend that interpolates into an HTTP URL). Example request: ``` GET /locales/resources.json?lng=../../etc/passwd&ns=root ``` with `i18next-fs-backend` reads the attacker-chosen file from disk; with `i18next-http-backend` reshapes the outgoing URL to target an internal service. - **Arbitrary file read** via `fs`-style backends - any file the Node process can read becomes reachable (source, configuration, `.ssh` keys, `.env`, Docker secrets, etc.). - **SSRF** via `http`-style backends - requests to internal IPs / hostnames not normally reachable from the internet; combined with cloud metadata endpoints this can escalate to credential theft. - **Unbounded growth of `i18next.options.ns`** - a now-incidental amplification: the pre-patch `getResourcesHandler` pushed every unique `ns` value into the shared `i18next.options.ns` singleton array without validation or bounds, enabling memory exhaustion from repeated unique payloads. The severity is bounded by the backend in place, but the middleware itself exposed the unsanitised path; this is the "weakest link" layer. `< 3.9.3`. Fixed in **3.9.3**. The patch introduces `utils.isSafeIdentifier` and applies it in `getResourcesHandler` before `lng` and `ns` reach the backend connector: ```js languages = languages.filter(utils.isSafeIdentifier) namespaces = namespaces.filter(utils.isSafeIdentifier) ``` `isSafeIdentifier` uses a denylist approach - it still accepts any legitimate i18next language-code shape ([i18next FAQ](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)) - rejecting: - `..` sequences (relative path traversal) - path separators (`/`, `\`) - control characters (C0/C1) - prototype keys (`__proto__` / `constructor` / `prototype`) - empty strings and values longer than 128 characters Unsafe values are dropped; only safe values reach the backend. The fix is a defence-in-depth layer on top of any sanitisation the backend itself may apply. No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing `..`, `/`, `\`, or URL-structure characters in `lng` / `ns` is a partial mitigation. Upgrading the configured backend (`i18next-fs-backend` ≥ 2.6.4, `i18next-http-backend` ≥ 3.0.5) also closes the same attack at the next layer. - [GHSA-5fgg-jcpf-8jjw](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw) - prototype pollution via `setPath` and `missingKeyHandler`. Independently fixable, filed separately per CNA rules. - [GHSA-c3h8-g69v-pjrg](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg) - HTTP response splitting + XSS-filter bypass (CVE-2026-41683). Discovered via an internal security audit of the i18next ecosystem. - [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) - [CWE-918: Server-Side Request Forgery (SSRF)](https://cwe.mitre.org/data/definitions/918.html) (specific sub-case when paired with an HTTP backend) - [i18next FAQ: language code formatting](https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted)

OpenShift Container Platform build system allows authenticated users with the edit ClusterRole to inject arbitrary environment variables into docker-build containers via the buildconfigs/instantiate API, enabling information disclosure attacks such as build traffic interception through LD_PRELOAD or http_proxy manipulation. This represents an incomplete remediation of a prior vulnerability, affecting confidentiality of sensitive build data with CVSS 4.3 (network-accessible, low complexity, authenticated). No public exploit code or active exploitation has been confirmed at the time of analysis.

Environment variable injection in OpenClaw (pre-2026.3.31) allows authenticated remote attackers to compromise host execution integrity by injecting malicious variables that override package managers, Docker registries, compiler paths, and TLS configurations during host exec operations. The vulnerability exhibits high confidentiality impact (CVSS:4.0 VC:H) with network attack vector and low complexity (AV:N/AC:L), requiring only low-privilege authentication (PR:L). VulnCheck disclosure indicates this affects Docker-related operations, with fixes available via GitHub commit eb8de67 and tracked under GHSA-cg7q-fg22-4g98. EPSS and KEV data not available at time of analysis.

Path traversal in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to read arbitrary files via manipulation of the url argument in the updateStoryboardUrl function of the Storyboard Export component. The vulnerability has a publicly available exploit, though the vendor disputes its practical exploitability, arguing the affected interface is designed to accept only local or trusted Docker-configured addresses. CVSS 4.3 reflects low confidence (RC:C) and unconfirmed exploitation probability (E:P).

OS command injection in Toowiredd chatgpt-mcp-server up to version 0.1.0 allows remote unauthenticated attackers to execute arbitrary system commands through the Docker service component. The vulnerability exists in src/services/docker.service.ts within the MCP/HTTP interface and has publicly available exploit code. The vendor has been notified but has not yet released a patch.

Soft-deleted public books in note-mark allow unauthenticated access to notes and assets via direct API endpoints and slug URLs. When a note-mark owner deletes a public book, the GORM soft-delete mechanism fails to filter raw SQL JOIN clauses in note and asset queries, leaving notes and uploaded content readable to any caller who knows the note ID or slug path. CVSS 5.3 (network, low complexity, no authentication required) reflects confidentiality impact; patch is available from vendor.

Remote authentication bypass in note-mark backend allows unauthenticated attackers to hijack OIDC user accounts by submitting the password 'null' to the internal login endpoint. Affected deployments running default configuration (EnableInternalLogin=true) with OIDC enabled permit complete account takeover of any OIDC-registered user. Attackers gain full access to private notebooks, markdown content, and uploaded assets, plus can persist access by overwriting the victim's password. Vendor patch available in commit dea5530c. CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) reflects the zero-interaction remote attack against default installations. No EPSS or KEV data available, but the detailed POC script in the advisory significantly lowers exploitation barrier.

Authentication bypass in Traefik's StripPrefixRegex middleware allows unauthenticated remote attackers to access protected resources when combined with ForwardAuth, BasicAuth, or DigestAuth. By inserting a percent-encoded dot (%2e) in the URL prefix, attackers exploit a length mismatch between decoded path matching and encoded path slicing, causing ForwardAuth to receive a dot-segment path (/./admin/secret) that bypasses protection rules while backend servers normalize it to the protected path (/admin/secret). Confirmed with working proof-of-concept against Traefik v3.6.11. Patches released for v2.11.43, v3.6.14, and v3.7.0-rc.2. No CVSS score assigned yet, but meets criteria for high severity given complete authentication bypass with network attack vector requiring no privileges or user interaction.

Authentication bypass in Traefik's ForwardAuth middleware allows remote attackers to spoof the X-Forwarded-Prefix header and gain unauthorized access to protected backend routes when deployed behind trusted upstream proxies. Despite trustForwardHeader=false configuration, Traefik fails to sanitize attacker-controlled X-Forwarded-Prefix values in authentication subrequests, enabling attackers to impersonate trusted path prefixes (e.g., /admin) and bypass authorization checks in the authentication service. The vulnerability affects Traefik v2.x and v3.x series and is confirmed patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No KEV listing or EPSS data available at time of analysis, but a detailed proof-of-concept with complete Docker reproduction environment is publicly available in the GitHub advisory, significantly lowering exploitation complexity for attackers.

Unbounded memory allocation in Eclipse zserio serialization framework allows remote attackers to trigger system crashes via crafted payloads as small as 4-5 bytes, forcing allocations up to 16 GB and causing out-of-memory errors. Affects both C++ and Java runtimes used in Navigation Data Standard (NDS) implementations deployed across millions of vehicles from Toyota, BMW, Volkswagen, Mercedes-Benz, and 39 other automotive manufacturers. Vendor-released patch available in zserio v2.18.1, addressing unchecked length parameters in Array.h, BitStreamReader.h, and Java runtime equivalents. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation without authentication.

Unauthenticated attackers can steal admin tokens from Dgraph Alpha v25.3.2 and earlier via the exposed /debug/vars endpoint, enabling complete authentication bypass to administrative functions. The vulnerability exists because Dgraph incompletely fixed a previous cmdline exposure issue-blocking only /debug/pprof/cmdline while still serving Go's expvar handler at /debug/vars, which publishes the full command-line arguments including --security token= flags. Attackers can retrieve the token remotely without authentication (CVSS AV:N/PR:N) and replay it in X-Dgraph-AuthToken headers to access admin-only endpoints. Vendor patch released in v25.3.3 per GitHub advisory GHSA-vvf7-6rmr-m29q. No public exploit identified at time of analysis, but detailed proof-of-concept steps are published in the advisory.

Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.

Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image. Both public-chatflows AND public-chatbotConfig return completely raw flowData including credential IDs, plaintext API keys, and password-type fields. This vulnerability is fixed in 3.1.0.

n8n-mcp v2.47.10 and earlier in HTTP transport mode logs sensitive authentication credentials and request metadata regardless of authentication outcome, allowing disclosure of bearer tokens, API keys, and JSON-RPC payloads to any system with access to server logs. While access control correctly rejects unauthenticated requests with 401 responses, the sensitive data from those rejected requests is persisted in logs before authentication is enforced, creating an information disclosure vulnerability (CWE-532) with CVSS 5.3 (low confidentiality impact). No public exploit code or active exploitation is documented; patch is available in v2.47.11.

SQL injection in Jellystat versions prior to 1.1.10 escalates to remote code execution on the PostgreSQL database host. Authenticated attackers can inject arbitrary SQL via multiple API endpoints (`/api/getUserDetails`, `/api/getLibrary`), initially exfiltrating sensitive credentials from the `app_config` table (including Jellystat admin credentials and Jellyfin API keys). Because the application uses node-postgres simple query protocol allowing stacked queries, attackers can leverage PostgreSQL's `COPY ... TO PROGRAM` to achieve command execution on the database server. The project's default docker-compose.yml deploys PostgreSQL with superuser privileges, removing any privilege barriers to RCE. Vendor patch released in version 1.1.10 (GitHub commit 735fe7c confirmed). No active exploitation confirmed by CISA KEV, but publicly available exploit code exists given the detailed technical disclosure in GitHub Security Advisory GHSA-fj7c-2p5q-g56m.

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.

Cross-site scripting in mailcow dockerized versions prior to 2026-03b enables remote attackers to execute malicious JavaScript in victim browsers through a chained Login CSRF and Self-XSS attack. Exploitation requires low-privileged attacker credentials and victim interaction, but can result in unauthorized access to victim email accounts and session hijacking (CVSS 7.0, AV:N/AC:H/PR:L/UI:P). The vulnerability stems from insufficient HTML escaping of X-Real-IP header values in the login history dashboard, combined with server trust of client-supplied IP headers. No active exploitation or public POC identified at time of analysis, but technical details disclosed via GitHub Security Advisory make weaponization feasible.

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability.

Stored cross-site scripting (XSS) in mailcow: dockerized (versions prior to 2026-03b) allows remote unauthenticated attackers to execute arbitrary JavaScript in administrator sessions by delivering emails with malicious attachment filenames. When administrators view quarantined emails through the web interface, unsanitized filenames inject into HTML without escaping, triggering automatic JavaScript execution that can compromise administrator accounts. No public exploit or active exploitation confirmed at time of analysis, though CVSS 8.9 (CVSS 4.0) reflects high impact with low attack complexity requiring user interaction.

Stored cross-site scripting in mailcow dockerized versions before 2026-03b enables remote attackers to execute arbitrary JavaScript in admin sessions by injecting malicious code through unauthenticated Autodiscover requests. The payload persists in Redis and triggers when administrators view Autodiscover logs on the admin dashboard. CVSS 9.3 reflects the network attack vector and high cross-scope impact, though exploitation requires admin interaction (UI:P) and no public exploit has been identified at time of analysis.

Second-order SQL injection in mailcow: dockerized versions prior to 2026-03b allows authenticated API users with high privileges to execute arbitrary SQL commands through the quarantine notification system. Attackers inject malicious SQL via the quarantine_category field in /api/v1/add/mailbox endpoint, which executes when quarantine_notify.py runs its scheduled job, enabling data exfiltration of admin credentials and sensitive information through UNION-based queries rendered in notification emails. No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available in version 2026-03b.

Privilege escalation in Neko virtual browser (versions 3.0.0-3.0.10, 3.1.0-3.1.1) allows any authenticated user with low privileges to immediately gain full administrative control over the entire instance, including member management, room settings, broadcast control, and session termination. This complete instance compromise requires only network access and valid user credentials (CVSS 8.8, AV:N/AC:L/PR:L). While EPSS exploitation probability is low (0.12%, 31st percentile) and no active exploitation has been confirmed, the vulnerability is trivially exploitable by any authenticated user and classified as non-automatable but with total technical impact per SSVC. Vendor patches are available in versions 3.0.11 and 3.1.2.

OpenClaw before version 2026.3.31 fails to sanitize environment variables in its host exec policy, allowing authenticated local attackers to override proxy, TLS, Docker, and Git TLS security controls. An attacker with local access and limited privileges can bypass intended security restrictions by injecting malicious environment variables, potentially disabling certificate verification or redirecting traffic through unauthorized proxies. No public exploit code has been identified, and the vulnerability requires process interaction (AT:P) to trigger.

Remote code execution with container escape in Flowsint OSINT tool allows unauthenticated attackers to execute arbitrary OS commands as root on the host machine. The vulnerability exploits shell metacharacter injection in the 'org_to_asn' transformer when processing organization nodes in OSINT sketches. With CVSS 9.3 (CVSS 4.0), network attack vector, low complexity, and no authentication required, this represents critical risk to any internet-exposed Flowsint instance. Upstream fix committed (b52cbbb904c) removes vulnerable code, but no tagged release version confirmed yet. CVSS vector indicates proof-of-concept exploit exists (E:P).

Authenticated low-privileged users in wger can modify installation-wide gym configuration via /config/gym-config/edit due to missing permission enforcement, enabling vertical privilege escalation. The GymConfigUpdateView declares 'config.change_gymconfig' permission but inherits WgerFormMixin instead of WgerPermissionMixin, causing the permission check to never execute. Exploiting this allows attackers to manipulate default gym assignments affecting all users, with GymConfig.save() automatically reassigning user profiles and creating gym configurations tenant-wide. CVSS 7.6 (High) with network attack vector, low complexity, and low privileges required. No active exploitation (KEV) or public POC identified at time of analysis, though GitHub advisory provides detailed reproduction steps.

Remote code execution as root in OpenRemote IoT platform's rules engine (versions prior to 1.20.3) allows authenticated non-superuser attackers with write:rules role to execute arbitrary Java code via unsandboxed JavaScript rulesets. The vulnerability stems from Nashorn ScriptEngine.eval() executing user-supplied JavaScript without ClassFilter restrictions, enabling Java.type() access to any JVM class including java.lang.Runtime. Attackers can compromise the entire multi-tenant platform, steal c

GitHub Actions credential leakage in PraisonAI through ArtiPACKED attack exposes GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN in workflow artifacts. Versions 4.5.139 and below persist credentials in .git/config via actions/checkout without disabling persist-credentials, allowing any user with read access to public repository artifacts to extract tokens and compromise the supply chain. CVSS 9.1 (Critical) with network-accessible, unauthenticated attack vector. EPSS data not provided; no confirmed active exploitation (KEV status not indicated), but attack technique is publicly documented by Palo Alto Unit42 and widely reported. Vendor-released patch available in version 4.5.140.

Shell command injection in NSA Emissary's Executrix.getCommand() allows authenticated users with place configuration authorship to achieve arbitrary OS command execution when any payload is processed. The framework constructs /bin/sh -c commands by directly substituting IN_FILE_ENDING and OUT_FILE_ENDING configuration values into temporary file paths without escaping or validation, despite implementing input sanitization for similar parameters (placeName). Vendor-released patch available (commit 1faf33f). CVSS 8.8 (high) reflects local attack vector requiring low privileges, but scope change to C indicates container/JVM breakout potential. No CISA KEV listing or public exploit identified at time of analysis, though detailed proof-of-concept exists in advisory including Docker-based reproduction and unit test.

Command injection in simple-git npm package versions ≤3.28.0 enables arbitrary code execution via crafted Git options. Attackers who control Git command options can bypass the allowUnsafePack safety restriction using malformed variations of the -u flag (e.g., -vu, -4u, --u) to execute shell commands on Linux systems. This vulnerability stems from an incomplete fix for CVE-2022-25860, with proof-of-concept code publicly available demonstrating file creation via touch command. EPSS data not provid

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

Server-side request forgery in Arcane Docker management interface versions prior to 1.17.3 allows unauthenticated remote attackers to conduct SSRF attacks via the /api/templates/fetch endpoint. Attackers can supply arbitrary URLs through the url parameter, causing the server to perform HTTP GET requests without URL scheme or host validation, with responses returned directly to the caller. This enables reconnaissance of internal network resources, access to cloud metadata endpoints, and potential interaction with internal services from the server's network context. No public exploit identified at time of analysis.

CSRF vulnerability in Dockyard prior to 1.1.0 allows unauthenticated remote attackers to start or stop Docker containers by tricking a logged-in administrator into clicking a malicious link, since container control endpoints accept GET requests without CSRF token validation. An attacker can disrupt service availability or trigger unintended container state changes without authentication credentials. No active exploitation or public exploit code has been confirmed.

Server-Side Request Forgery in Sonicverse Radio Audio Streaming Stack dashboard API client allows authenticated operators to perform arbitrary HTTP requests from the backend server to internal or external targets. Affects Docker Compose deployments installed via the provided install.sh script, including one-liner installations. Attacker can exploit insufficient URL validation in apps/dashboard/lib/api.ts to access internal services, exfiltrate sensitive data from cloud metadata endpoints, or pivot to restricted network segments. CVSS 9.9 critical severity with changed scope indicates potential for significant cross-boundary impact. No public exploit identified at time of analysis.

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/terminal/ws` WebSocket endpoint. The terminal handler skips authentication validation entirely, accepting connections without credential checks and spawning PTY shells directly. Attackers obtain full interactive shell access as root in default Docker deployments through a single WebSocket connection, bypassing Marimo's authentication middleware. No public exploit identified at time of analysis.

Local trust-control bypass in mise (Rust task runner) versions ≤2026.3.17 allows attackers to inject malicious configuration through `.mise.toml` files, leading to arbitrary code execution. By setting `trusted_config_paths = ["/"]` in a project-local config file, attackers bypass the trust verification mechanism that should prevent execution of dangerous directives like `[env] _.source`, hooks, templates, and tasks. Exploitation requires victim interaction (cloning/opening a malicious repository), but no authentication. EPSS data not available; no confirmed active exploitation or public exploit code beyond the GitHub advisory's proof-of-concept. Attack complexity is high due to the requirement for victim action and specific execution context (mise hook-env invocation).

Remote code execution via OS command injection in suvarchal docker-mcp-server through 0.1.0 allows unauthenticated attackers to execute arbitrary commands by manipulating the stop_container, remove_container, or pull_image HTTP interface functions. Publicly available exploit code exists, and while the vendor was notified early through GitHub issue #3, no patch has been released as of the analysis date.

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbitrary OS commands via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypass exploits an unpatched deserialization sink in JATO's ClientSession.deserializeAttributes() that was overlooked when CVE-2021-35464 was mitigated. Attackers can target any JATO ViewBean endpoint with <jato:form> tags (commonly found in password reset pages) using a PriorityQue

Unauthenticated remote code execution (RCE) at root level in Aperi'Solve <3.2.1 allows attackers to execute arbitrary commands via unsanitized password input in JPEG upload functionality. Attack requires no authentication (PR:N) and low complexity (AC:L), with CVSS 9.3 critical severity. Publicly available exploit code exists via GitHub advisory. Attackers gain full container compromise with potential pivot to PostgreSQL/Redis databases and, in misconfigured deployments with Docker socket mounts, possible host system takeover. EPSS data not provided, but given unauthenticated network-based vector and public disclosure with fix details, exploitation risk is substantial for exposed instances.

Arbitrary code execution in pyload-ng via pickle deserialization allows non-admin users with SETTINGS and ADD permissions to write malicious session files and trigger unauthenticated RCE. Attackers redirect the download directory to Flask's session store (/tmp/pyLoad/flask), plant a crafted pickle payload as a predictable session filename, then trigger deserialization by sending any HTTP request with the corresponding session cookie. This bypasses CVE-2026-33509 fix controls because storage_folder was not added to ADMIN_ONLY_OPTIONS. No public exploit identified at time of analysis, though detailed proof-of-concept methodology is documented in the advisory. EPSS data not available for this recent CVE.

Server-Side Request Forgery in pyLoad-ng allows authenticated users with ADD permissions to read local files via file:// protocol, access internal network services, and exfiltrate cloud metadata. The parse_urls API endpoint fetches arbitrary URLs without protocol validation, enabling attackers to read /etc/passwd, configuration files, SQLite databases, and AWS/GCP metadata endpoints at 169.254.169.254. Error-based responses create a file existence oracle. Multi-protocol support (file://, gopher://, dict://) escalates impact beyond standard HTTP SSRF. CVSS 7.7 reflects network attack vector, low complexity, and scope change with high confidentiality impact. No public exploit code identified at time of analysis, though detailed proof-of-concept included in advisory demonstrates exploitation via curl commands against Docker deployments.

Remote code execution in BentoML's containerization workflow allows attackers to execute arbitrary Python code on victim machines by distributing malicious bento archives containing SSTI payloads. When victims import a weaponized bento and run 'bentoml containerize', unsanitized Jinja2 template rendering executes attacker-controlled code directly on the host system - bypassing all Docker container isolation. The vulnerability stems from using an unsandboxed jinja2.Environment with the dangerous jinja2.ext.do extension to process user-provided dockerfile_template files. Authentication is not required (CVSS PR:N), though exploitation requires user interaction (UI:R) to import and containerize the malicious bento. No public exploit identified at time of analysis, though the GitHub advisory includes detailed proof-of-concept demonstrating host filesystem compromise.

SQL injection in Kestra orchestration platform's flow search endpoint (GET /api/v1/main/flows/search) enables remote code execution on the underlying PostgreSQL host. Authenticated users can trigger the vulnerability by visiting a malicious link, exploiting PostgreSQL's COPY TO PROGRAM feature to execute arbitrary OS commands on the Docker container host. Affects Kestra versions prior to 1.3.7 in default docker-compose deployments. With CVSS 9.9 (Critical) and low attack complexity requiring only low-privilege authentication, this represents a severe risk for container escape and host compromise scenarios.

Command injection in BentoML's cloud deployment path allows remote code execution on BentoCloud build infrastructure via malicious bentofile.yaml configurations. While commit ce53491 fixed command injection in local Dockerfile generation by adding shlex.quote protection, the cloud deployment code path (deployment.py:1648) remained vulnerable, directly interpolating system_packages into shell commands without sanitization. Attackers can inject shell metacharacters through bentofile.yaml to execut

Unauthenticated server-side request forgery in Ech0's link preview endpoint allows remote attackers to force the application server to perform HTTP/HTTPS requests to arbitrary internal and external targets. The /api/website/title route requires no authentication, performs no URL validation, follows redirects by default, and disables TLS certificate verification (InsecureSkipVerify: true). Attackers can probe internal networks, access cloud metadata services (169.254.169.254), and trigger denial-

Unauthenticated remote attackers can trigger complete database overwrites, server-side file reads, and SSRF attacks against Dgraph graph database servers (v24.x, v25.x prior to v25.3.1) via the admin API's restoreTenant mutation. The mutation bypasses all authentication middleware due to missing authorization configuration, allowing attackers to provide arbitrary backup source URLs (including file:// schemes for local filesystem access), S3/MinIO credentials, Vault configuration paths, and encry

{{$context.data.fieldName}}) directly into raw SQL statements, enabling attackers to break out of string literals and inject malicious SQL commands. Publicly available exploit code exists demonstrating UNION-based injection to extract database credentials and system information. With default Docker deployments granting superuser database privileges, attackers gain full read/write access to the database including credential extraction, data modification, and table deletion capabilities.

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires in

Local privilege escalation in Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 allows authenticated users to assume privileged group membership when their Azure Entra ID-mapped CN or short name collides with system group names (sudo, wheel, docker, adm, etc.). The NSS module resolves the collision to the attacker's fake primary group, potentially granting group-level privileges if the system uses NSS for authorization decisions. CVSS 6.3 (medium); no public exploit identified at time of analysis.

Stored cross-site scripting in File Browser via admin-controlled branding fields allows injection of persistent JavaScript that executes for all visitors, including unauthenticated users. The vulnerability stems from use of Go's text/template (which performs no HTML escaping) instead of html/template when rendering the SPA index.html with branding data. An authenticated admin can inject malicious payloads into branding.name or branding.color fields that break out of their intended HTML context and execute arbitrary JavaScript in every user's browser without restriction, as no Content-Security-Policy header is set. Affected versions through v2.62.1 are vulnerable; vendor-released patches are available.

Stored XSS in File Browser's EPUB preview function (versions ≤v2.62.1) allows authenticated attackers to steal JWT tokens and escalate privileges by uploading malicious EPUB files. The vulnerability arises from passing allowScriptedContent:true to the epub.js library combined with an ineffective iframe sandbox (allow-scripts + allow-same-origin), enabling JavaScript in crafted EPUBs to access parent frame localStorage. CVSS 7.6 (AV:N/AC:L/PR:L/UI:R/S:C). No public exploit identified at time of analysis beyond the detailed PoC in the advisory. EPSS data not available. Vendor-released patch available per GitHub advisory. Low-privilege users with file upload permissions can weaponize this to compromise administrator sessions.

Stored cross-site scripting (XSS) in phpMyFAQ 4.2.0-alpha allows unauthenticated attackers to inject malicious JavaScript via RFC 5321-compliant quoted email addresses in guest FAQ submissions. The injected payload is stored without sanitization and rendered using Twig's |raw filter in the admin FAQ editor, executing in administrator browsers and enabling session hijacking, admin account takeover, and arbitrary site manipulation. A publicly available proof-of-concept demonstrates successful JavaScript execution when administrators review pending FAQs.

Anthropic Python SDK versions 0.86.0 to before 0.87.0 create memory files with overly permissive file permissions (0o666), allowing local attackers to read persisted agent state or modify memory files to influence model behavior on shared hosts and Docker environments. The vulnerability affects both synchronous and asynchronous memory tool implementations and has been patched in version 0.87.0; no public exploit code or active exploitation has been identified at the time of analysis.

Unauthenticated remote access to restricted documents in Admidio 5.0.0-5.0.7 Docker deployments allows disclosure of role-protected files. The Docker image's Apache configuration disables .htaccess processing (AllowOverride None), bypassing intended access controls on uploaded documents. Attackers can directly retrieve files via HTTP without authentication using paths disclosed in upload response JSON. CVSS 7.5 (High) with network-based attack vector and no authentication required. No public exploit identified at time of analysis, though exploitation is straightforward given the configuration flaw.

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated low-privilege attackers to escape Node.js vm sandbox and execute arbitrary commands as root inside Docker containers. The vulnerability exploits exposed WritableWorkerStdio stream objects in the sandbox console to traverse the prototype chain, access the host-realm Function constructor, load unrestricted Node.js modules (child_process), and spawn system commands. Confirmed exploited with reverse shell access, database credential theft (DB_PASSWORD, INIT_ROOT_PASSWORD), and arbitrary filesystem operations. EPSS data not available; public exploit code exists with detailed proof-of-concept demonstrating root shell access in nocobase/nocobase:latest Docker image. Critical 10.0 CVSS score reflects network-exploitable, low-complexity attack with complete confidentiality, integrity, and availability impact plus scope change (container escape implications).

Server-side request forgery in Docker Model Runner allows unprivileged containers or malicious OCI registries to make arbitrary GET requests to internal services by exploiting unvalidated realm URLs in the OCI registry token exchange flow. Affected versions prior to 1.1.25 (Docker Desktop prior to 4.67.0) permit attackers to access host-local services and reflect response bodies back to the caller, potentially exfiltrating sensitive data from internal endpoints. No public exploit code or active exploitation has been reported at time of analysis.

Insecure Direct Object Reference (IDOR) in nginx-ui up to v2.3.3 allows authenticated low-privilege users to access, modify, and delete any resource across all user accounts, including plaintext DNS provider API tokens (Cloudflare, AWS Route53, Alibaba Cloud) and ACME private keys. The application's base Model struct lacks user_id fields, and all resource endpoints query by ID without ownership verification. CVSS 8.8 reflects scope change to external services—stolen Cloudflare tokens enable DNS hijacking and fraudulent certificate issuance. No public exploit identified at time of analysis, but trivial to execute via standard HTTP requests. Vendor-released patch: v2.3.4.

Authenticated denial of service in nginx-ui 2.3.3 and earlier allows any user with settings access to submit a negative integer for the logrotate.interval parameter, triggering an infinite loop in the backend that exhausts CPU resources and renders the web interface unresponsive. Vendor-released patch available in v2.3.4. No public exploit code identified beyond proof-of-concept documentation; not confirmed as actively exploited.

Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.

Authenticated users in nginx-ui v2.3.3 and earlier can delete the entire `/etc/nginx` configuration directory via path traversal using double-encoded sequences (..%252F), causing immediate Nginx service failure and denial of service. The vulnerability exploits improper URL canonicalization combined with unsafe recursive deletion logic that resolves malicious paths to the base configuration directory instead of rejecting them.

Remote authenticated attackers can achieve arbitrary command execution on nginx-ui v2.3.3 servers by manipulating encrypted backup archives during restoration. The vulnerability stems from a circular trust model where backup integrity metadata is encrypted using the same AES key provided to clients, allowing attackers to decrypt backups, inject malicious configuration (including command execution directives), recompute valid hashes, and re-encrypt the archive. The restore process accepts tampered backups despite hash verification warnings. Publicly available exploit code exists with detailed proof-of-concept demonstrating configuration injection leading to arbitrary command execution. Vendor-released patch available in nginx-ui v2.3.4. This represents a regression from GHSA-g9w5-qffc-6762, which addressed backup access control but not the underlying cryptographic design flaw.

Arbitrary file read in Gotenberg versions prior to 8.29.0 allows unauthenticated remote attackers to bypass URL deny-list protections and access sensitive container files via case-variant URI schemes. The default deny-list regex `^file:(?!//\/tmp/).*` only matches lowercase 'file:', but Chromium normalizes mixed-case schemes (FILE://, File://, fILE://) to lowercase after the deny-list check, enabling access to /etc/passwd, environment variables, and configuration files. This bypasses the incomplete fix for CVE-2024-21527. Vendor-released patch available in version 8.29.0. POC confirmed in GitHub advisory. EPSS exploitation probability is low (0.02%) despite public POC, suggesting limited real-world targeting to date.

CrewAI fails to validate Docker runtime availability during execution and silently reverts to an insecure sandbox mode, enabling remote code execution. Affected versions prior to the patch rely on Docker for isolation; when Docker becomes unavailable or is misconfigured, the fallback mechanism does not enforce adequate sandboxing constraints, allowing attackers to execute arbitrary commands within the application context. No CVSS score or official CVE details are available at this time, though the vulnerability has been reported to CERT and carries high practical risk due to the automatic unsafe fallback behavior.

Remote code execution in CrewAI's CodeInterpreter tool occurs when Docker connectivity fails and the system falls back to SandboxPython, allowing unauthenticated remote attackers to execute arbitrary C functions and achieve code execution. The vulnerability affects systems relying on CrewAI's code execution capabilities where Docker is unavailable or unreachable, creating a dangerous fallback condition that bypasses intended sandboxing protections.

Authentication bypass in MinIO allows any authenticated user with s3:PutObject permission to permanently corrupt objects by injecting fake server-side encryption metadata via crafted X-Minio-Replication-* headers. Attackers can selectively render individual objects or entire buckets permanently unreadable through the S3 API without requiring elevated ReplicateObjectAction permissions. Affects all MinIO releases from RELEASE.2024-03-30T09-41-56Z through the final open-source release. Vendor-released patch available in MinIO AIStor RELEASE.2026-03-26T21-24-40Z. No public exploit identified at time of analysis, though the attack mechanism is well-documented in the advisory.

Unauthenticated network access to Home Assistant apps bypasses intended Docker isolation on Linux systems, exposing internal services to any device on the local network. Apps configured with host network mode inadvertently bind internal Docker bridge endpoints to the broader LAN without authentication controls, enabling unauthorized access with high confidentiality, integrity, and availability impact (CVSS 9.6). Vendor-released patch available in Home Assistant Supervisor 2026.03.02. No public exploit identified at time of analysis, though exploitation requires only adjacent network access with low attack complexity.

A path traversal vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Unauthenticated remote cache poisoning in nektos/act (GitHub Actions local runner) enables arbitrary code execution by exposing the built-in actions/cache server on all network interfaces without authentication. Attackers who can reach the cache server-including from the public internet if exposed-can inject malicious cache entries with predictable keys, leading to remote code execution within Docker containers running GitHub Actions workflows. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor-released patch available in act v0.2.86.

Command injection in nektos/act (GitHub Actions local runner) allows attackers to execute arbitrary code by embedding deprecated workflow commands in untrusted input. Act versions prior to 0.2.86 unconditionally process ::set-env:: and ::add-path:: commands that GitHub Actions disabled in 2020, enabling PATH hijacking and environment variable injection when workflows echo PR titles, branch names, or commit messages. Publicly available exploit code exists with working proof-of-concept demonstrating NODE_OPTIONS and LD_PRELOAD injection vectors. This creates a critical supply chain risk where workflows safe on GitHub Actions become exploitable when developers test them locally with act.

changedetection.io versions up to 0.54.6 leak all server environment variables including password hashes, proxy credentials, and API keys via unrestricted jq filter expressions. Attackers with API access (default: no authentication required) can extract SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed to the container by creating a watch with 'jqraw:env' as the include filter. Vendor-released patch available in version 0.54.7. No active exploitation confirmed (not in CISA KEV), but a detailed proof-of-concept exists in the GitHub advisory demonstrating full environment variable extraction in three API calls.

Docker daemon allows authorization plugin bypass through specially-crafted API requests that strip request bodies before forwarding to authorization (AuthZ) plugins, enabling attackers with low-level privileges to circumvent access controls. This vulnerability (CVSS 8.8) affects moby/moby and docker/docker packages, representing an incomplete fix for CVE-2024-41110. Vendor-released patch is available via GitHub commit e89edb19ad7de0407a5d31e3111cb01aa10b5a38, and no public exploit has been identified at time of analysis, though base exploitation likelihood is noted as low by the vendor.

Docker daemon privilege validation logic in plugin installation contains a comparison error that allows malicious plugins to bypass approval checks and request unintended privileges, including sensitive device access permissions. The vulnerability affects Docker and Moby (pkg:go/github.com_docker_docker, pkg:go/github.com_moby_moby) across multiple versions, with CVSS 6.8 reflecting high confidentiality and integrity impact. Exploitation requires installation from a malicious plugin source and user interaction during the install prompt, but no active public exploitation has been confirmed.