Skip to main content

Docker

814 CVEs product

Monthly

CVE-2026-33692 PHP HIGH PATCH GHSA This Week

Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.

Apache Docker Information Disclosure
NVD GitHub
CVSS 3.1
7.5
CVE-2026-31978 PyPI MEDIUM PATCH GHSA This Month

Path traversal in motionEye v0.43.1 allows any authenticated user - including those with normal (non-admin) privileges - to read arbitrary files from the server filesystem via the picture and movie preview API endpoints. The root cause is inconsistent input validation: `get_media_preview()` and `del_media_content()` in `mediafiles.py` omit the `..` sequence check that `get_media_content()` correctly implements, and the Tornado web framework passes percent-encoded slashes (`%2F`) through unmodified to `os.path.join()`. A fully functional public proof-of-concept demonstrating retrieval of `/etc/passwd` is published in the GitHub security advisory; no public exploit identified at time of analysis for CISA KEV, but the low exploitation complexity and pre-computable default-credential signature make exposed instances an immediate practical target.

Path Traversal Python Docker
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-12888 LOW PATCH Monitor

HTML injection in Canarytokens' Google Chat webhook notifications allows an attacker who triggers a deployed canarytoken to embed limited HTML content - including crafted hyperlinks - inside the resulting alert message rendered in Google Chat. The vulnerable system is Canarytokens itself (Docker tag sha-4aef1db90 through sha-8ab4dccd), but the integrity impact lands on the subsequent system: the Google Chat interface where defenders receive their alerts. A proof of concept exists per CVSS 4.0 supplemental metric E:P; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

Google Code Injection Docker Canarytokens
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2026-56265 PyPI CRITICAL PATCH Act Now

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to forge valid JWT tokens because the signing key defaults to the hardcoded value 'mysecret' present in the public source code. Anyone aware of the default secret can mint tokens for arbitrary users and obtain full access to protected crawling, extraction, JavaScript execution, and configuration endpoints. No public exploit identified at time of analysis, but the underlying weakness is trivially reproducible from the upstream repository.

Docker Authentication Bypass Crawl4ai
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-55776 Go MEDIUM PATCH GHSA This Month

OpenBao's transit secrets engine crashes the entire server process when an authenticated caller submits a key-creation request combining an asymmetric key type (rsa-*, ecdsa-*, ed25519) with the derived: true parameter. Affected versions confirmed as 2.5.2 and 2.5.4, with earlier versions also likely vulnerable per the GHSA advisory. The server returns no HTTP response, terminates with exit code 2, and the crash propagates to the entire cluster - making this a high-impact availability denial-of-service requiring only a single authenticated API request. Publicly available exploit code exists in the form of a detailed PoC curl command included in the security advisory; no CISA KEV listing is present at time of analysis.

Docker Denial Of Service Hashicorp Suse
NVD GitHub
CVSS 3.1
6.5
CVE-2026-54762 Go MEDIUM PATCH GHSA This Month

The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. A detailed proof-of-concept covering eight distinct secret-failure scenarios was developed by the reporter and confirmed on both current master and v3.7.1; no public release of exploit code is confirmed and no CISA KEV listing exists at time of analysis.

Nginx Kubernetes Denial Of Service Docker Red Hat +1
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.2%
CVE-2026-55837 PyPI MEDIUM PATCH GHSA This Month

Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.

Python CSRF Information Disclosure Docker Authentication Bypass
NVD GitHub
CVSS 3.1
6.8
CVE-2026-54317 PyPI HIGH PATCH GHSA This Week

{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.

Python Microsoft Information Disclosure Docker Oracle
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-49290 HIGH PATCH This Week

Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal Python RCE Docker Slopsmith
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.6%
CVE-2026-47262 Go MEDIUM PATCH GHSA This Month

Memory exhaustion via maliciously crafted container image in containerd causes an OOM kill of the containerd process, rendering the container runtime API unavailable and disrupting orchestration layers including Docker Engine and Kubernetes control-plane components. CVE-2026-47262 is rated Moderate by the containerd project - lower than the four co-patched Critical/High CVEs - and is fixed across the full active supported release tree in versions 2.3.2, 2.2.5, 2.1.9, 2.0.10, and 1.7.33. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Docker Kubernetes Denial Of Service Containerd
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.5%
CVE-2026-55591 npm MEDIUM PATCH GHSA This Month

Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.

Microsoft Docker Kubernetes Node.js SSRF +2
NVD GitHub
CVSS 3.1
5.8
CVE-2026-54695 PyPI MEDIUM PATCH GHSA This Month

Unauthenticated call-control abuse in pipecat-ai development runner (>=0.0.77, <1.4.0) allows remote attackers reaching an exposed `/ws` telephony WebSocket to inject an attacker-controlled `callSid` that the server then submits to Twilio, Telnyx, or Plivo REST APIs using the operator's own credentials, forcibly terminating victim calls. Publicly available exploit code exists (a full Dockerized PoC is published in the GHSA advisory) and the maintainers shipped a fix in v1.4.0; no CISA KEV listing at time of analysis.

Python Docker Denial Of Service Authentication Bypass OpenSSL +1
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-55686 Go MEDIUM PATCH GHSA This Month

WORKDIR symlink traversal in Podman allows a malicious container image to create arbitrary directories - and under a race condition, modify ownership - directly on the host filesystem, breaking container isolation. Affected versions include Podman v5 through 5.7.0, v4 through 4.9.5, and v3 through 3.4.7; the flaw is in the WORKDIR path resolution logic, which fails to confine symlink dereferences to the container's mount namespace. Public proof-of-concept scripts are included in the vendor's GitHub advisory (GHSA-q6r4-3wmg-fwcq); no active exploitation has been confirmed via CISA KEV.

Information Disclosure Docker Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12539 MEDIUM PATCH This Month

ICMP egress policy bypass in Docker Sandboxes (sbx) allows untrusted workloads - explicitly including AI agents - to defeat the documented ICMP block and reach arbitrary external hosts after a Docker daemon restart. The authorizer enforcing the ICMP egress restriction is applied only at network-creation time and is never re-applied when the daemon reconstructs network state from disk on restart, leaving the policy unenforced for the lifetime of the rebuilt network. No public exploit has been identified at time of analysis, but the bypass enables network reconnaissance and covert-channel data exfiltration directly contradicting the sbx threat model, which treats sandbox workloads as adversarial.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-12039 MEDIUM PATCH This Month

DNS covert-channel exfiltration in Docker Sandboxes (sbx) prior to v0.33.0 allows untrusted workloads executing inside internet-connected sandboxes to bypass the configured HTTP/S-only egress allowlist by encoding data into DNS subdomain labels. The per-network embedded DNS resolver forwards all queried names to the host resolver without consulting egress policy, undermining the core isolation guarantee that sbx provides for AI agent workloads. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector assigns high confidentiality impact (VC:H), consistent with the ability to exfiltrate arbitrary in-sandbox data - including API keys, environment variables, and workspace secrets - to an attacker-controlled authoritative DNS server.

Authentication Bypass Docker
NVD GitHub
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-55602 npm MEDIUM PATCH GHSA This Month

Backend routing bypass in http-proxy-middleware allows unauthenticated external attackers to redirect HTTP requests to unintended backends by sending a crafted Host header that acts as a superstring of a configured host+path router key. The vulnerable substring matching logic (`hostAndPath.indexOf(key) > -1` in `src/router.ts`) affects npm package versions 0.16.0 through 3.0.5 and 4.0.0 through v4.0.0-beta.5, enabling bypass of tenant isolation, backend segmentation, or access-control boundaries enforced through proxy routing rules. Publicly available exploit code exists in the GitHub Security Advisory GHSA-64mm-vxmg-q3vj, with vendor-confirmed fixes released as versions 3.0.6 and 4.1.0.

Information Disclosure Docker Red Hat
NVD GitHub VulDB HeroDevs
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-55887 Go HIGH PATCH GHSA This Week

Arbitrary code execution as root on the host running Docker MCP Gateway via argument injection in the `docker run` command line. A malicious OCI image author can craft an `io.docker.server.metadata` label that YAML-unmarshals into runtime-shaping fields of the `catalog.Server` struct, causing the gateway to append attacker-chosen flags like `-v /:/host` and `-u root` when launching the MCP server container. No public exploit identified at time of analysis, but the upstream advisory describes a full exploitation path.

Privilege Escalation RCE Docker
NVD GitHub
CVE-2026-12566 PyPI LOW POC PATCH GHSA Monitor

Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM attackers who can substitute the realm parameter in a forged WWW-Authenticate Bearer challenge. When bbot contacts a Docker registry and receives a 401 response, the vulnerable module blindly trusts the attacker-supplied realm URL and forwards authentication material to an arbitrary endpoint outside the legitimate registry domain. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but an upstream patch commit is available on GitHub.

SSRF Docker Bbot
NVD GitHub
CVSS 3.1
3.1
EPSS
0.2%
CVE-2026-12565 PyPI MEDIUM POC PATCH GHSA This Month

Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. No public exploit has been identified at time of analysis; the CVSS vector (AC:H/UI:R) constrains real-world risk to BBOT operators actively scanning attacker-controlled targets on affected OS distributions, but the high integrity impact (I:H) and zero privilege requirement (PR:N) are significant for red-team and CI/CD BBOT deployments running on legacy base images.

Path Traversal Debian Ubuntu Docker Bbot
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-22555 Go HIGH PATCH GHSA This Week

Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the organization namespace via the API fork endpoint, despite a team configuration that denies repository creation (can_create_org_repo=false). Because the fork creator receives admin rights on the resulting repo, the attacker can enable Actions and push a workflow that exfiltrates all organization-level CI/CD secrets (deploy keys, cloud credentials, API tokens). Publicly available exploit code exists in the GHSA advisory with a full step-by-step PoC; no public exploit identified at time of analysis beyond the reporter's reproduction.

Docker RCE Authentication Bypass Ubuntu Gitea
NVD GitHub
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-54018 PyPI HIGH PATCH GHSA This Week

SSRF protection bypass in Open WebUI's SafePlaywrightURLLoader (versions <= 0.9.5) allows authenticated users to access internal network resources by supplying an externally-hosted URL that returns an HTTP 301/302 redirect to a private address. Because Playwright's page.goto() automatically follows redirects without re-validating the destination, attackers can reach localhost, container-network peers, or cloud metadata endpoints (169.254.169.254) even when ENABLE_RAG_LOCAL_WEB_FETCH=False. A working PoC is published in the GHSA advisory; there is no public exploit identified at time of analysis being actively used, and no CISA KEV listing.

Python SSRF Docker
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-54008 PyPI HIGH PATCH GHSA This Week

Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.

Python PostgreSQL Microsoft Docker Redis +4
NVD GitHub
CVSS 3.1
8.5
EPSS
0.2%
CVE-2026-54006 PyPI MEDIUM PATCH GHSA This Month

{event_id}/update` endpoint validates write access only on the source calendar, silently omitting the destination `calendar_id` authorization check that `create_event` correctly enforces - a classic IDOR pattern. A verified public proof-of-concept exists against v0.9.4 (the official Docker image); the fix is available in v0.9.6. No CISA KEV listing was present in the input data, so widespread in-the-wild exploitation is unconfirmed.

Python Authentication Bypass XSS Docker
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-54761 Go MEDIUM PATCH GHSA This Month

Traefik's Kubernetes Gateway provider exposes internal services (`api@internal`, `dashboard@internal`, `rest@internal`) on the data plane due to a namespace allowlist check evaluated against the wrong variable in multi-backendRef (WRR) HTTPRoute rules. Operators who configured `crossProviderNamespaces` to restrict which namespaces may reference cross-provider `TraefikService` backends find that restriction entirely bypassed for routes with two or more backendRefs, allowing an unprivileged route namespace to expose the Traefik API unauthenticated on the normal web entrypoint. A fully functional end-to-end proof-of-concept was included in the disclosure; no public exploit identifier at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Kubernetes Docker Suse
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.4%
CVE-2026-53622 Go HIGH PATCH GHSA This Week

mTLS bypass in Traefik v3.6.17 through v3.7.2 allows unauthenticated remote clients to reach backends protected by router-specific client-certificate policies by negotiating over HTTP/3 (QUIC). The QUIC TLS configuration selector performs only an exact, case-sensitive SNI map lookup, so wildcard host rules (e.g. `*.example.com`) and mixed-case SNI values fall back to the default TLS configuration, which typically does not require a client certificate, while the HTTP routing layer still dispatches the request to the protected backend. Publicly available exploit code exists in the GitHub Security Advisory GHSA-9cr8-q42q-g8m7, but there is no public exploit identified at time of analysis indicating active in-the-wild abuse.

OpenSSL Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.2%
CVE-2026-53755 PyPI HIGH PATCH GHSA This Week

Unauthenticated server-side request forgery in Crawl4AI's Docker API server (versions < 0.8.9) lets remote attackers reach internal services and cloud-metadata endpoints by supplying a proxy address that bypasses the crawl-URL validation. Because the Docker API is unauthenticated by default and the SSRF check was only applied to the crawl target - not to the proxy destination - an attacker can route Chromium's egress through an internal IP (e.g. AWS IMDSv1 at 169.254.169.254) and read the response verbatim from the crawl result. No public exploit is identified at time of analysis, but the reporter supplied a working PoC and EPSS risk is low (0.29%, 20th percentile).

Google SSRF Docker
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-53754 PyPI HIGH PATCH GHSA This Week

Server-Side Request Forgery in Crawl4AI's Docker API server (versions <= 0.8.7) allows unauthenticated remote attackers to bypass the IPv4/IPv6 CIDR blocklist in validate_webhook_url/validate_url_destination by using IPv6 transition forms (NAT64, 6to4, IPv4-mapped, IPv4-compatible) or the unspecified address. Since the Docker API ships with jwt_enabled:false by default, attackers can pivot the server into fetching cloud metadata endpoints like 169.254.169.254, potentially exposing IAM credentials. No public exploit identified at time of analysis, but the upstream advisory (GHSA-4qqr-vv2q-cmr5) details the exact bypass payloads.

Docker SSRF Oracle
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-53753 PyPI CRITICAL PATCH GHSA Act Now

Unauthenticated remote code execution in Crawl4AI's Docker API (versions <= 0.8.6) lets attackers escape the computed-fields expression sandbox and run arbitrary OS commands inside the container. The AST validator behind `_safe_eval_expression()` only blocked attribute names beginning with an underscore, so a crafted `JsonCssExtractionStrategy` schema can reach generator/frame attributes (`gi_frame`, `f_back`, `f_builtins`) to recover the real `__import__` and execute code. Because JWT auth is disabled by default, a single `POST /crawl` request suffices; publicly available exploit code exists (SSVC: PoC) and the vendor rates it CVSS 10.0, though EPSS is low at 0.45%.

Python Code Injection RCE Docker
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-48491 Go HIGH PATCH GHSA This Week

Mutual-TLS bypass in Traefik v3.7.0 and v3.7.1 lets unauthenticated remote attackers reach backends protected by wildcard-router `TLSOptions` (for example `Host("*.example.com")` with `RequireAndVerifyClientCert`). The `SNICheck` domain-fronting middleware resolves TLS options for the HTTP `Host` header via exact map lookups only, so an attacker completing the TLS handshake under a permissive SNI on the same entrypoint can then send a `Host` header for the wildcard-protected backend and skip the client-certificate requirement. Publicly available exploit code exists in the GitHub Security Advisory PoC; this is independent of the prior HTTP/3 mTLS issue.

Kubernetes OpenSSL Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.2%
CVE-2026-54090 Go HIGH PATCH GHSA This Week

Authenticated command injection in File Browser (github.com/filebrowser/filebrowser/v2 before 2.33.8) lets any user holding Execute permission bypass the command allowlist when a shell interpreter such as /bin/sh -c is configured. Because the allowlist validates only the first token while the full raw string is passed to the shell, an attacker chains arbitrary OS commands after a permitted one using metacharacters (;, |, backticks, $()), executing them at the server process privilege - root in the default Docker image. A detailed working PoC is published in the GHSA advisory; EPSS is very low (0.02%, 7th percentile) and the vulnerable Command Execution feature is disabled by default from 2.33.8 onward, including for upgraded existing installations.

Command Injection Docker
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-54093 Go MEDIUM PATCH GHSA This Month

Zip-slip path traversal in filebrowser v2.63.5 and earlier (Linux-hosted) allows any authenticated user with Create permission to plant a file whose name contains URL-encoded Windows-style backslash traversal sequences (`%5C`). The Linux server stores the file with a literal backslash in its name, which `filepath.ToSlash()` silently ignores, and the archive download handler emits that name verbatim into zip/tar central directories. When a Windows victim downloads and extracts the archive using Explorer, 7-Zip, WinRAR, or .NET `ZipFile.ExtractToDirectory`, the extractor interprets `\` as a path separator and writes files to arbitrary locations outside the extraction directory - enabling arbitrary file write on the victim's Windows machine. No public exploit identified at time of analysis beyond the full PoC published in the GHSA advisory; EPSS is 0.03% (8th percentile), consistent with the two-party, victim-interaction requirement.

Path Traversal Canonical Microsoft Docker
NVD GitHub
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-54094 Go HIGH PATCH GHSA This Week

Symlink-following scope escape in File Browser (filebrowser/filebrowser v2 ≤ 2.63.13) lets a restricted, scoped user-and in the public-share case an unauthenticated recipient-read, overwrite, and share files outside their assigned directory whenever a symlink lexically inside their scope resolves to a target elsewhere on the server. The per-user BasePathFs root blocks lexical ../ traversal but the HTTP handlers dereference symlinks before serving, writing, or sharing, so any file the server process can reach is exposed. Publicly available proof-of-concept exploit code exists in the GHSA advisory; the issue is not in CISA KEV and EPSS is low (0.07%, 23rd percentile).

Path Traversal Docker
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-54092 Go MEDIUM PATCH GHSA This Month

Unauthenticated denial-of-service in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows remote attackers to exhaust CPU and memory by submitting arbitrarily large passwords to the public /api/login endpoint, which are then passed unchecked into the bcrypt-style CheckPwd hashing routine. Publicly available exploit code exists in the GitHub advisory PoC, and concurrent abuse can crash the container and even destabilize the host Docker daemon. EPSS is low (0.04%) and the issue is not in CISA KEV, but the trivial AV:N/AC:L/PR:N exploitation profile makes it a real availability risk for any internet-exposed instance.

Docker Denial Of Service Python
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47174 CRITICAL PATCH Act Now

Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as the live production Docker image without code review or merge approval. The flaw stems from a GitHub Actions deploy workflow that can be tricked into treating an unmerged pull request build as a main-branch deployment, then checking out the PR commit, building it, pushing it as the `latest` Docker tag, and triggering a Dokploy deployment. No public exploit identified at time of analysis, and CVE is not listed in CISA KEV.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.0%
CVE-2026-47172 CRITICAL PATCH Act Now

Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote attackers to deploy malicious container images to production by opening a pull request from a branch named 'main'. The unprivileged build workflow's head_sha is consumed by a downstream privileged deploy workflow, which then builds and publishes attacker-controlled code as the 'latest' Docker image and triggers production rollout. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-9qf3-c86c-j346) documents the chain end-to-end.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
9.5
EPSS
0.0%
CVE-2026-48053 PyPI MEDIUM PATCH GHSA This Month

Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.

Python Microsoft Docker SSRF Oracle +1
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-11816 PyPI HIGH PATCH This Week

Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outside the intended extraction directory when a victim loads a malicious model archive. The flaw stems from validating archive member paths against the process current working directory rather than the actual extraction destination, which collapses to the filesystem root in common Docker, CI/CD, and Jupyter setups. No public exploit identified at time of analysis, but the upstream fix and a Huntr bounty disclosure make targeted exploitation against ML pipelines plausible.

Path Traversal Python Docker Keras
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-48039 PyPI CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.

Python Authentication Bypass Information Disclosure Docker
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-48020 Go HIGH POC PATCH GHSA This Week

Route-level authentication bypass in Traefik's StripPrefix middleware allows unauthenticated remote attackers to reach protected backend endpoints (e.g., /admin, /internal/config) by crafting request paths such as /api../admin or /api%2e%2e/admin. The public router matches before path normalization, but StripPrefix subsequently normalizes the path via JoinPath() so the backend receives the protected path without the authentication middleware ever running. Publicly available exploit code exists (full PoC in the advisory), patches are released, and EPSS sits at 0.22% (45th percentile) with no CISA KEV listing.

Python Authentication Bypass Docker
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.2%
CVE-2026-47253 Go HIGH PATCH GHSA This Week

Arbitrary directory deletion in julien040/anyquery 0.4.4 and earlier allows an authenticated low-privileged bearer-token holder to delete any directory accessible to the server process by submitting a SQL query that invokes clear_plugin_cache with a path-traversal payload. The flaw stems from path.Join silently resolving '..' segments before os.RemoveAll, and publicly available exploit code exists in the GitHub Security Advisory GHSA-j9rx-rppg-6hh4. Verified impact includes irreversible deletion of files outside the intended $XDG_CACHE_HOME/anyquery/plugins/ cache root, producing data loss and denial of service.

Python Docker Denial Of Service Path Traversal
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-48051 npm LOW PATCH GHSA Monitor

Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.

Python Docker Microsoft SSRF
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-11859 LOW PATCH Monitor

HTML injection in the 'fetch links' alert email feature of Thinkst Canarytokens allows unauthenticated remote attackers to embed malicious HTML and JavaScript into notification emails delivered to token owners (defenders). The vulnerability is notable because it weaponizes the deception platform's own alert mechanism against the security operators relying on it - turning a defensive tool into a phishing vector. Proof-of-concept exploit code exists (CVSS 4.0 E:P), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 base score of 2.0 reflects the limited, interaction-dependent impact.

Docker XSS
NVD GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-47693 PHP MEDIUM PATCH GHSA This Month

CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas in usernames that execute when an administrator exports activity logs and opens the resulting CSV in Excel, LibreOffice Calc, or Google Sheets. All four log export controllers pass username fields directly to PHP's fputcsv() without neutralizing formula trigger characters (=, +, -, @), enabling phishing via rendered hyperlinks and silent data exfiltration via =IMPORTXML() or similar functions targeting victim administrators. Publicly available exploit code exists per GHSA-3h6h-67x3-cv5x; the vulnerability is not listed in CISA KEV.

Google PHP Information Disclosure Microsoft Docker
NVD GitHub
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-47252 Go CRITICAL PATCH GHSA Act Now

Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary `osascript` commands, including `do shell script` for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. Publicly available exploit code exists in the GHSA advisory (GHSA-hrj8-hjv8-mgwc), though no public exploit identified at time of analysis in mass-exploitation feeds and KEV does not list it.

Command Injection Code Injection Google RCE Apple +2
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-45034 PHP CRITICAL PATCH GHSA Act Now

Phar deserialization in PhpSpreadsheet (PHPOffice) is reachable on PHP 7.x because the `File::prohibitWrappers` helper added to patch CVE-2026-34084 can be bypassed with a three-slash phar URI such as `phar:///path/file.phar/inner`, where `parse_url` returns false and the wrapper check is skipped. Remote attackers who can supply a file path to `IOFactory::load()` achieve full RCE on PHP 7.x branches (1.x up to 1.30.4) and a phar file-read primitive on PHP 8.x branches up to 5.7.0; publicly available exploit code exists with a working Docker reproducer, though EPSS is only 0.04% (12th percentile).

PHP Docker Deserialization
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-48017 npm HIGH PATCH GHSA This Week

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the `functionName` parameter of the `POST /runners/load-reader` endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the `require=null` sandbox is bypassed via `process.binding("spawn_sync")`. Publicly available exploit code exists (vendor-published PoC in the GHSA advisory), and the issue carries a CVSS 8.8 rating with low-complexity, low-privilege exploitation.

Privilege Escalation Code Injection RCE Docker Node.js
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-47670 npm CRITICAL POC PATCH GHSA Act Now

Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.

Python Privilege Escalation Command Injection RCE Docker
NVD GitHub
EPSS
0.3%
CVE-2026-47669 npm CRITICAL PATCH GHSA Act Now

Remote code execution in DbGate versions 7.1.8 and earlier allows network-adjacent attackers to achieve full container compromise via a Zip Slip flaw in the archive unzip endpoint. Because the default Docker deployment runs as root and the bundled 'none' authentication provider issues JWT tokens without credentials, any attacker reachable on the network can upload a malicious ZIP that writes files anywhere on the filesystem, including cron entries for code execution. Publicly available exploit code exists in the GHSA advisory itself, and an upstream patched release (7.1.9) is available.

Docker Python Path Traversal
NVD GitHub
EPSS
0.1%
CVE-2026-47668 npm CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers execute arbitrary Node.js code by injecting JavaScript through the functionName parameter of the POST /runners/start JSON script runner. Default Docker deployments ship with Anonymous authentication enabled, making this exploitable without credentials (CVSS 10.0), and a public Nuclei template plus detailed PoC mean publicly available exploit code exists even though no CISA KEV listing was identified at time of analysis.

Docker Node.js RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-47703 Go MEDIUM PATCH GHSA This Month

DNS transaction ID entropy collapse in AdGuard Home (≤v0.107.74) and its underlying dnsproxy library (≤v0.81.2) reduces the backend UDP forwarding tuple from two random variables to one: the DNS ID is deterministically 0 on every client-triggered DoQ-to-UDP hop, leaving only the UDP source port as the sole remaining entropy variable. An off-path attacker who can inject spoofed ICMP error messages toward the resolver's egress address can exploit a reliable source-port oracle - confirmed across four consecutive runs for both products - to identify the correct backend socket state before injecting a forged DNS response, placing this attack in the same threat-model class as SAD DNS and TUdoor. No public exploit confirmed at time of analysis beyond the working oracle reproducer included in the advisory disclosure; the advisory is not listed in CISA KEV.

OpenSSL Race Condition Oracle Information Disclosure Docker
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-50183 PHP MEDIUM PATCH GHSA This Month

Stored XSS in AVideo's YouTubeAPI plugin allows any YouTube video uploader whose video matches the AVideo operator's configured search keyword to inject arbitrary JavaScript into every visitor's browser via the homepage gallery section. The `snippet.title` field returned by the YouTube Data API is rendered verbatim across four HTML output sites in `plugin/YouTubeAPI/gallerySection.php`, three of which apply no encoding whatsoever; the fourth applies only a partial `str_replace` that strips double-quotes and leaves the other three sinks untouched. Publicly available exploit code is documented in GHSA-66q5-cj5g-wrfx; the payload persists for up to 3600 seconds (the default cache TTL) after the hostile video is removed from YouTube, and when the victim is an authenticated AVideo administrator the injected script can escalate to full administrative takeover via cookie-based requests lacking CSRF protection.

PHP XSS Docker CSRF
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-8462 Go MEDIUM PATCH GHSA This Month

SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.

Denial Of Service Docker Python SQLi
NVD GitHub
EPSS
0.0%
CVE-2026-45730 Go HIGH PATCH GHSA This Week

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Functions, APIGateways, and FunctionEvents. The write paths construct PermissionOptions without setting MemberIds, causing the platform-layer FilterProjectsByPermissions to short-circuit and skip OPA enforcement entirely. Publicly available exploit code exists (detailed working PoC in the advisory), and the issue is fixed in Nuclio 1.16.0 via PR #4107.

Authentication Bypass Python Docker Kubernetes
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-41234 PHP HIGH PATCH GHSA This Week

Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. Publicly available exploit code exists (detailed PoC including a Python script in the GHSA advisory), but there is no public exploit identified at time of analysis in CISA KEV and no EPSS score was provided.

Python Apache PHP Information Disclosure Docker +1
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-10729 LOW Monitor

HTML injection in Thinkst Applied Research Canarytokens notification emails for 'Slow Redirect' and 'Cloned Website' token types allows an attacker who triggers those tokens to embed arbitrary HTML and JavaScript into the alert email sent to the operator. If the recipient opens the notification in an HTML-rendering email client, the injected content executes within that client's context, enabling interface manipulation and XSS. This affects self-hosted Docker deployments between tag sha-c42435e and sha-bfda4df; a proof of concept exists (CVSS E:P), though no public exploit confirmed active exploitation and CISA KEV listing is absent.

Docker XSS
NVD GitHub VulDB
CVSS 4.0
1.2
EPSS
0.0%
CVE-2026-36576 CRITICAL Act Now

Remote command execution in openlabs docker-wkhtmltopdf-aas (up to commit 9f50579) allows unauthenticated attackers to run arbitrary OS commands by sending a crafted POST request to the app.py PDF conversion endpoint. The CVSS 9.8 rating reflects network-reachable, no-privilege, no-interaction exploitation, and while no public exploit identified at time of analysis, the referenced source line (app.py#L40) makes the injection sink trivially discoverable for any attacker reviewing the repository.

Docker Command Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-8936 HIGH PATCH This Week

Denial of service in Docker Desktop versions 4.33.0 through 4.75.x allows a local low-privileged user inside a container to crash the underlying Linux VM by triggering unbounded recursion in the grpcfuse kernel module. The flaw is exercised by creating deeply nested directories on a bind-mounted host folder and forcing a dentry invalidation event, which panics the virtualization layer that backs the entire Docker engine. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Docker Information Disclosure
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-45131 CRITICAL Act Now

Secret exfiltration in CloudPirates Open Source Helm Charts (prior to commit fcf9302) allows unauthenticated attackers to steal repository secrets, including Docker Hub credentials and tokens, by submitting a malicious fork pull request that triggers the pull-request.yaml GitHub Actions workflow in a privileged context. No public exploit is identified at time of analysis, but the attack pattern is a well-known pwn-request misconfiguration that requires no maintainer approval, and the CVSS score of 10.0 (Critical) with scope change reflects compromise of CI/CD secrets that extend beyond the workflow boundary.

Docker RCE Code Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-47394 PyPI HIGH PATCH GHSA This Week

Unauthenticated arbitrary file read in PraisonAI's MCP server (pip/PraisonAI <= 4.6.39) allows remote callers to retrieve any file readable by the host user via the praisonai.workflow.show, praisonai.workflow.validate, and praisonai.deploy.validate tool handlers. The flaw is an incomplete fix for CVE-2026-44336: a hardening helper was applied to the rules.* tools but not to these adjacent workflow/deploy handlers, and the dispatcher still forwards unvalidated kwargs to handlers. Publicly available exploit code exists (working proof-of-concept in the advisory); no public exploit identified at time of analysis as a packaged exploit, but the advisory itself ships a runnable PoC.

Docker PostgreSQL Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-47226 PHP MEDIUM PATCH GHSA This Month

Cross-folder unauthorized file deletion in Admidio v5.0.9 allows any authenticated member with upload rights on a single folder to permanently destroy files stored in folders where they hold only view access. The vulnerability stems from a broken authorization boundary in modules/documents-files.php: the top-level upload-right check trusts an attacker-supplied folder_uuid URL parameter rather than the target file's actual parent folder, while the file_delete handler performs only a view-right check. This is confirmed as an incomplete fix of GHSA-rmpj-3x5m-9m5f (previously addressed in v5.0.7 but reintroduced by v5.0.9). A fully functional public proof-of-concept with step-by-step curl commands has been confirmed against a Docker deployment of v5.0.9; no public exploit identified at time of analysis as a weaponized tool, but the PoC lowers exploitation barrier significantly.

Docker PHP CSRF Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45741 Go HIGH GHSA This Week

SSRF deny-list bypass in Gotenberg v8 (<= 8.32.0) allows unauthenticated remote attackers to reach internal cloud metadata services (e.g., AWS/GCP/Azure IMDS at 169.254.169.254) by serving a crafted DNS AAAA record containing IPv6 6to4, NAT64, or deprecated site-local prefixes that the IsPublicIP allow-list fails to recognize. Publicly available exploit code exists via the GitHub Security Advisory PoC, and the Chromium URL-convert route returns the upstream response as a PDF, yielding a full-read SSRF that can leak IAM credentials. No vendor-released patch identified at time of analysis (advisory lists no fixed version).

Google Microsoft Docker SSRF
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-44829 Go HIGH PATCH GHSA This Week

Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.

Docker Microsoft Path Traversal Python
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45628 CRITICAL Act Now

Command injection in Dokploy 0.29.2 and earlier allows authenticated users with application create/edit permissions to execute arbitrary shell commands on the host by injecting metacharacters into branch names, repository URLs, or Docker credentials. The flaw stems from unsanitized template-literal interpolation passed to child_process.exec(), and at time of analysis no public exploit identified at time of analysis, but the vendor security advisory GHSA-3frc-cfh9-ch2c documents the issue.

Docker Information Disclosure
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-45663 CRITICAL Act Now

Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.

Docker File Upload Command Injection
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-45662 HIGH This Week

Command injection in Dokploy 0.29.0 and earlier allows authenticated users to execute arbitrary OS commands on the host by deleting a Docker registry whose registryUrl contains shell metacharacters. The deleteRegistry function in packages/server/src/services/registry.ts passes registryUrl unescaped into docker logout, while the adjacent docker login call correctly uses shEscape() - making this a clear regression. No public exploit identified at time of analysis, but the root cause is documented in the vendor's GHSA advisory.

Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-45633 CRITICAL Act Now

Authenticated command injection in Dokploy 0.26.6 and earlier enables any logged-in user to run arbitrary OS commands as root via the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated into shell commands without validation, yielding a CVSS 9.9 (Scope:Changed) issue affecting this self-hosted PaaS. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Docker Command Injection
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-10042 CRITICAL PATCH Act Now

{method_name} and /simple_execute/{method_name} endpoints, which call pickle.loads() on raw HTTP request bodies. The flaw scored CVSS 4.0 of 9.2 and has an upstream fix in commit d7441481, but no public exploit was identified at time of analysis; risk is amplified by the default Docker image running as root, leading to full container compromise.

Docker RCE Deserialization
NVD GitHub
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-47179 Go HIGH PATCH GHSA This Week

Authenticated arbitrary file read in Arcane (Docker management UI) versions ≤ 1.19.3 allows any low-privileged user to read any file accessible to the backend process by abusing Docker Compose `include:` directives. Because `CreateProject` skips include-path validation that `UpdateProject` enforces, an attacker can register a project whose compose file points at `/etc/passwd` or `/app/data/arcane.db`, then fetch the contents via the project file API - yielding stored password hashes and API keys for all users, enabling admin takeover and host RCE through Arcane's Docker control plane. No public exploit identified at time of analysis; vendor patch is available in 1.19.4.

Docker Path Traversal Privilege Escalation
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-48116 HIGH PATCH This Week

Command injection in AnythingLLM prior to 1.13.0 allows attackers chatting with an agent to execute arbitrary commands inside the server container by abusing the filesystem-search-files skill. The LLM-controlled pattern parameter is passed to ripgrep without a '--' end-of-options separator, letting a crafted pattern like '--pre=/bin/sh' coerce ripgrep into executing files as shell scripts. The default official Docker image ships with the filesystem plugin enabled, making typical deployments exploitable; no public exploit identified at time of analysis.

Docker Command Injection
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45704 PHP HIGH PATCH GHSA This Week

Broken access control in Pimcore's CustomReports bundle (composer package pimcore/pimcore, versions ≤ 12.3.5) lets an authenticated low-privileged backend user who holds only the generic `reports` permission read the full configuration of custom reports they were never granted access to. The report detail endpoint (`getAction`) validates only coarse `reports`/`reports_config` permissions, whereas the listing endpoint enforces per-report sharing rules through `loadForGivenUser()`; consequently a report hidden from a user's visible list can still be retrieved directly by name. A working proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-jwcc-gv4m-93x6), so publicly available exploit code exists, but there is no public evidence of active exploitation.

Docker PHP Authentication Bypass
NVD GitHub
EPSS
0.0%
CVE-2026-45703 PHP MEDIUM PATCH GHSA This Month

WordExportBundle in Pimcore CMS enforces only feature-level permission (`word_export`) at export initiation but performs no object-level authorization check against the target document element, constituting a broken object-level authorization (BOLA) flaw. Authenticated low-privileged backend users holding the `word_export` permission can supply arbitrary `type/id` parameters to `wordExportAction()` to export full content - including titles, descriptions, and body - from pages, snippets, emails, or objects they are explicitly denied `view` access to. A publicly available proof-of-concept script is included in the GitHub security advisory GHSA-332x-r494-54fq confirming practical exploitability; the vulnerability is not currently listed in CISA KEV.

Docker PHP Authentication Bypass
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-44830 HIGH PATCH This Week

Authentication bypass in Nocturne Memory before 2.4.1 lets any network-adjacent client gain unauthenticated read/write/delete access to the full Knowledge-Graph API when operators deploy the default Docker configuration without setting API_TOKEN. Because the server binds to 0.0.0.0 with CORS allow_origins=["*"] and the BearerTokenAuthMiddleware silently disables auth on an empty token, an attacker on the same LAN can tamper with memory entries such as system://boot and core://* that auto-load into downstream MCP agent sessions, enabling persistent prompt-injection. There is no public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the source data.

Docker Authentication Bypass
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-44210 Go MEDIUM PATCH GHSA This Month

VM escape in Kata Containers allows any Kubernetes user with pod-creation rights to break out of the VM sandbox and gain full read/write access to the host filesystem. All Kata Containers installations prior to commit ffa59ce3aa78 are affected when using the default configuration.toml, which enables the `virtio_fs_extra_args` and `kernel_params` pod annotations out of the box. An attacker crafts a pod with two annotations: one to redirect virtiofsd to serve the host root filesystem (`/`) into the guest VM, and a second to enable the agent debug console - after which the entire host filesystem is accessible from inside the supposedly isolated VM. A fully working proof-of-concept with confirmed output against Kata Containers 3.28.0 on Ubuntu 24.04 has been publicly disclosed; no public exploit confirmed as actively exploited (CISA KEV) at time of analysis.

Ubuntu Kubernetes Gitlab Docker Code Injection +1
NVD GitHub
EPSS
0.1%
CVE-2026-47672 Maven MEDIUM GHSA This Month

Unauthenticated write access to patient electronic health records in epa4all-client 1.2.4 and earlier exposes German Telematik Infrastruktur (ePA 3.0) deployments to unauthorized data manipulation. The REST adapter component ships with no authentication or authorization controls, allowing any adjacent-network caller to write arbitrary documents to any patient EHR accessible via the institution's SMC-B card. No public exploit code has been identified at time of analysis, but the CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and minimal technical complexity once network-adjacent.

Authentication Bypass Docker Java
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45082 HIGH PATCH This Week

Server-side request forgery in Karakeep self-hosted bookmark manager versions prior to 0.32.0 allows authenticated users to bypass internal-network protections by chaining attacker-controlled HTTP redirects, reaching Docker-internal services from the crawler and video download flows. Publicly available exploit code exists per SSVC, though EPSS is low at 0.03% and the issue is not in CISA KEV. Fixed in version 0.32.0.

Docker SSRF Karakeep
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-47125 Go HIGH PATCH GHSA This Week

{id}/templates/variables endpoint, which lacks the checkAdmin() guard applied to every other admin-sensitive handler. Because global variables are merged into every project's compose file at deploy time, an attacker can redirect image pulls to a malicious registry to achieve cross-tenant supply-chain code execution on the Docker host, steal credentials from other users' deployments, or break every project on the instance. No public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path.

Authentication Bypass Docker
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5843 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-5817 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's vllm-metal inference backend on macOS allows any container on the Docker network to trigger host-level RCE by pulling a malicious model from an OCI registry and requesting inference. The Docker Model Runner unconditionally sets trust_remote_code=True and runs without sandboxing, so AutoTokenizer.from_pretrained() loads attacker-controlled Python from the model and executes it as the Docker Desktop user. No public exploit identified at time of analysis; EPSS sits at 0.01% and SSVC marks exploitation as 'none' despite total technical impact.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-6406 HIGH PATCH This Week

Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).

Authentication Bypass Docker
NVD VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-46670 PHP CRITICAL POC PATCH GHSA Act Now

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

PHP Python SQLi Docker
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46701 npm HIGH POC PATCH GHSA This Week

Unauthenticated cross-origin MCP tool invocation in Network-AI v5.4.4 allows a remote attacker to lure a victim to a malicious web page that silently invokes any of the 22 exposed MCP tools (including config_set, agent_spawn, blackboard_write, and token_create/revoke) against the victim's locally running MCP SSE server. The vulnerability stems from an empty default secret combined with a wildcard CORS policy, and publicly available exploit code exists in the GHSA advisory demonstrating end-to-end exploitation. No CISA KEV listing yet and EPSS data was not provided, but the published PoC and trivial attack mechanics make this a meaningful risk for any user running the default Docker deployment.

Python RCE Docker
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-46695 LIB CRITICAL PATCH GHSA Act Now

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

Node.js Docker Authentication Bypass RCE Python
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-45805 npm HIGH PATCH GHSA This Week

Unauthenticated remote code execution in Penpot MCP module's ReplServer (npm @penpot/mcp < 2.15.0) allows anyone on the adjacent network to POST arbitrary JavaScript to a `/execute` endpoint and have it executed by the Node.js process. The flaw stems from Express defaulting the listen() bind address to 0.0.0.0 instead of localhost, combined with a complete absence of authentication on the REPL endpoint. No public exploit identified at time of analysis beyond the reporter's working PoC included in the GHSA advisory.

RCE Docker
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-46339 npm CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.

Python Denial Of Service Docker Command Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-46426 npm HIGH PATCH GHSA This Week

Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.

Docker Redis CSRF File Upload XSS
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-45709 Go MEDIUM PATCH GHSA This Month

{id}/html-check`, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.

Java Docker SSRF Redis Oracle
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-45553 PyPI HIGH PATCH GHSA This Week

Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.

Information Disclosure Kubernetes Python Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45686 Go HIGH PATCH GHSA This Week

Remote denial-of-service in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows unauthenticated attackers to crash the privileged instrumentation process by sending a crafted memcached storage command with an oversized `<bytes>` field. The integer overflow in the memcached text protocol parser produces a negative payload length that triggers a Go runtime panic in LargeBufferReader.Peek, halting telemetry collection until OBI is restarted. Publicly available exploit code exists in the GHSA-43g7-cwr8-q3jh advisory, but there is no public exploit identified beyond the PoC and the vulnerability is not listed in CISA KEV.

Docker RCE Denial Of Service Python Integer Overflow +1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45678 Go HIGH PATCH GHSA This Week

Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.

PostgreSQL Docker Python Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45679 Go MEDIUM PATCH GHSA This Month

OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.

Redis Docker Information Disclosure Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVSS 7.5
HIGH PATCH This Week

Unauthenticated information disclosure in WWBN AVideo (versions prior to 29.0) deployed via the official docker-compose.yml exposes the application's .env file at /.env, leaking database credentials, the SYSTEM_ADMIN_PASSWORD, and internal Docker network topology. The default Apache document root mount lacks any rule blocking dotfile access, so a single curl request to /.env returns plaintext secrets. No public exploit identified at time of analysis, though reproduction is trivial against any default Docker deployment.

Apache Docker Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in motionEye v0.43.1 allows any authenticated user - including those with normal (non-admin) privileges - to read arbitrary files from the server filesystem via the picture and movie preview API endpoints. The root cause is inconsistent input validation: `get_media_preview()` and `del_media_content()` in `mediafiles.py` omit the `..` sequence check that `get_media_content()` correctly implements, and the Tornado web framework passes percent-encoded slashes (`%2F`) through unmodified to `os.path.join()`. A fully functional public proof-of-concept demonstrating retrieval of `/etc/passwd` is published in the GitHub security advisory; no public exploit identified at time of analysis for CISA KEV, but the low exploitation complexity and pre-computable default-credential signature make exposed instances an immediate practical target.

Path Traversal Python Docker
NVD GitHub
EPSS 0% CVSS 2.0
LOW PATCH Monitor

HTML injection in Canarytokens' Google Chat webhook notifications allows an attacker who triggers a deployed canarytoken to embed limited HTML content - including crafted hyperlinks - inside the resulting alert message rendered in Google Chat. The vulnerable system is Canarytokens itself (Docker tag sha-4aef1db90 through sha-8ab4dccd), but the integrity impact lands on the subsequent system: the Google Chat interface where defenders receive their alerts. A proof of concept exists per CVSS 4.0 supplemental metric E:P; no confirmed active exploitation or CISA KEV listing exists at time of analysis.

Google Code Injection Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to forge valid JWT tokens because the signing key defaults to the hardcoded value 'mysecret' present in the public source code. Anyone aware of the default secret can mint tokens for arbitrary users and obtain full access to protected crawling, extraction, JavaScript execution, and configuration endpoints. No public exploit identified at time of analysis, but the underlying weakness is trivially reproducible from the upstream repository.

Docker Authentication Bypass Crawl4ai
NVD GitHub VulDB
CVSS 6.5
MEDIUM PATCH This Month

OpenBao's transit secrets engine crashes the entire server process when an authenticated caller submits a key-creation request combining an asymmetric key type (rsa-*, ecdsa-*, ed25519) with the derived: true parameter. Affected versions confirmed as 2.5.2 and 2.5.4, with earlier versions also likely vulnerable per the GHSA advisory. The server returns no HTTP response, terminates with exit code 2, and the crash propagates to the entire cluster - making this a high-impact availability denial-of-service requiring only a single authenticated API request. Publicly available exploit code exists in the form of a detailed PoC curl command included in the security advisory; no CISA KEV listing is present at time of analysis.

Docker Denial Of Service Hashicorp +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

The Kubernetes Ingress NGINX provider in Traefik v3.7.0-ea.1 through v3.7.4 fails open when BasicAuth or DigestAuth cannot be installed because the referenced auth-secret is unresolvable, silently publishing the intended-to-be-protected backend route without any authentication middleware to unauthenticated network clients. Operators who explicitly configure auth via nginx.ingress.kubernetes.io/auth-type and auth-secret annotations are left with a live, fully accessible backend route while Traefik logs a single controller-level error and routes traffic normally - a direct violation of the declared security intent. A detailed proof-of-concept covering eight distinct secret-failure scenarios was developed by the reporter and confirmed on both current master and v3.7.1; no public release of exploit code is confirmed and no CISA KEV listing exists at time of analysis.

Nginx Kubernetes Denial Of Service +3
NVD GitHub VulDB
CVSS 6.8
MEDIUM PATCH This Month

Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.

Python CSRF Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.

Python Microsoft Information Disclosure +2
NVD GitHub VulDB
EPSS 1% CVSS 7.6
HIGH PATCH This Week

Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Path Traversal Python RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion via maliciously crafted container image in containerd causes an OOM kill of the containerd process, rendering the container runtime API unavailable and disrupting orchestration layers including Docker Engine and Kubernetes control-plane components. CVE-2026-47262 is rated Moderate by the containerd project - lower than the four co-patched Critical/High CVEs - and is fixed across the full active supported release tree in versions 2.3.2, 2.2.5, 2.1.9, 2.0.10, and 1.7.33. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Docker Kubernetes Denial Of Service +1
NVD VulDB GitHub
CVSS 5.8
MEDIUM PATCH This Month

Unauthenticated SSRF in signalk-server ≤2.27.0 allows remote attackers to force the server to make arbitrary HTTP/HTTPS requests to any destination, including RFC 1918 private ranges, loopback, and cloud metadata services at 169.254.169.254. On default installations where no admin user has been created, the security middleware is a no-op, meaning all three vulnerable endpoints are completely unauthenticated over the network. A detailed public PoC is included in the GitHub advisory demonstrating internal network scanning, AWS IAM credential theft via IMDSv1, and path-traversal-assisted targeted data exfiltration; no CISA KEV listing is present at time of analysis.

Microsoft Docker Kubernetes +4
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated call-control abuse in pipecat-ai development runner (>=0.0.77, <1.4.0) allows remote attackers reaching an exposed `/ws` telephony WebSocket to inject an attacker-controlled `callSid` that the server then submits to Twilio, Telnyx, or Plivo REST APIs using the operator's own credentials, forcibly terminating victim calls. Publicly available exploit code exists (a full Dockerized PoC is published in the GHSA advisory) and the maintainers shipped a fix in v1.4.0; no CISA KEV listing at time of analysis.

Python Docker Denial Of Service +3
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WORKDIR symlink traversal in Podman allows a malicious container image to create arbitrary directories - and under a race condition, modify ownership - directly on the host filesystem, breaking container isolation. Affected versions include Podman v5 through 5.7.0, v4 through 4.9.5, and v3 through 3.4.7; the flaw is in the WORKDIR path resolution logic, which fails to confine symlink dereferences to the container's mount namespace. Public proof-of-concept scripts are included in the vendor's GitHub advisory (GHSA-q6r4-3wmg-fwcq); no active exploitation has been confirmed via CISA KEV.

Information Disclosure Docker Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

ICMP egress policy bypass in Docker Sandboxes (sbx) allows untrusted workloads - explicitly including AI agents - to defeat the documented ICMP block and reach arbitrary external hosts after a Docker daemon restart. The authorizer enforcing the ICMP egress restriction is applied only at network-creation time and is never re-applied when the daemon reconstructs network state from disk on restart, leaving the policy unenforced for the lifetime of the rebuilt network. No public exploit has been identified at time of analysis, but the bypass enables network reconnaissance and covert-channel data exfiltration directly contradicting the sbx threat model, which treats sandbox workloads as adversarial.

Information Disclosure Docker
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

DNS covert-channel exfiltration in Docker Sandboxes (sbx) prior to v0.33.0 allows untrusted workloads executing inside internet-connected sandboxes to bypass the configured HTTP/S-only egress allowlist by encoding data into DNS subdomain labels. The per-network embedded DNS resolver forwards all queried names to the host resolver without consulting egress policy, undermining the core isolation guarantee that sbx provides for AI agent workloads. No public exploit has been identified at time of analysis, but the CVSS 4.0 vector assigns high confidentiality impact (VC:H), consistent with the ability to exfiltrate arbitrary in-sandbox data - including API keys, environment variables, and workspace secrets - to an attacker-controlled authoritative DNS server.

Authentication Bypass Docker
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Backend routing bypass in http-proxy-middleware allows unauthenticated external attackers to redirect HTTP requests to unintended backends by sending a crafted Host header that acts as a superstring of a configured host+path router key. The vulnerable substring matching logic (`hostAndPath.indexOf(key) > -1` in `src/router.ts`) affects npm package versions 0.16.0 through 3.0.5 and 4.0.0 through v4.0.0-beta.5, enabling bypass of tenant isolation, backend segmentation, or access-control boundaries enforced through proxy routing rules. Publicly available exploit code exists in the GitHub Security Advisory GHSA-64mm-vxmg-q3vj, with vendor-confirmed fixes released as versions 3.0.6 and 4.1.0.

Information Disclosure Docker Red Hat
NVD GitHub VulDB HeroDevs
HIGH PATCH This Week

Arbitrary code execution as root on the host running Docker MCP Gateway via argument injection in the `docker run` command line. A malicious OCI image author can craft an `io.docker.server.metadata` label that YAML-unmarshals into runtime-shaping fields of the `catalog.Server` struct, causing the gateway to append attacker-chosen flags like `-v /:/host` and `-u root` when launching the MCP server container. No public exploit identified at time of analysis, but the upstream advisory describes a full exploitation path.

Privilege Escalation RCE Docker
NVD GitHub
EPSS 0% CVSS 3.1
LOW POC PATCH Monitor

Authentication token leakage in Black Lantern Security's bbot docker_pull module exposes Docker credentials to MITM attackers who can substitute the realm parameter in a forged WWW-Authenticate Bearer challenge. When bbot contacts a Docker registry and receives a 401 response, the vulnerable module blindly trusts the attacker-supplied realm URL and forwards authentication material to an arbitrary endpoint outside the legitimate registry domain. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but an upstream patch commit is available on GitHub.

SSRF Docker Bbot
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Path traversal in BBOT's unarchive internal module enables a malicious archive hosted by attacker-controlled infrastructure to write files outside the intended extraction directory when BBOT runs on systems with GNU tar < 1.34. This vulnerability is a residual gap from CVE-2025-10284, which resolved git-specific RCE vectors but left the underlying archive extraction path validation entirely unimplemented, relying instead on inconsistent external tool behavior across platforms. No public exploit has been identified at time of analysis; the CVSS vector (AC:H/UI:R) constrains real-world risk to BBOT operators actively scanning attacker-controlled targets on affected OS distributions, but the high integrity impact (I:H) and zero privilege requirement (PR:N) are significant for red-team and CI/CD BBOT deployments running on legacy base images.

Path Traversal Debian Ubuntu +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authorization bypass in Gitea versions prior to 1.26.0 lets a read-only organization member create repositories in the organization namespace via the API fork endpoint, despite a team configuration that denies repository creation (can_create_org_repo=false). Because the fork creator receives admin rights on the resulting repo, the attacker can enable Actions and push a workflow that exfiltrates all organization-level CI/CD secrets (deploy keys, cloud credentials, API tokens). Publicly available exploit code exists in the GHSA advisory with a full step-by-step PoC; no public exploit identified at time of analysis beyond the reporter's reproduction.

Docker RCE Authentication Bypass +2
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

SSRF protection bypass in Open WebUI's SafePlaywrightURLLoader (versions <= 0.9.5) allows authenticated users to access internal network resources by supplying an externally-hosted URL that returns an HTTP 301/302 redirect to a private address. Because Playwright's page.goto() automatically follows redirects without re-validating the destination, attackers can reach localhost, container-network peers, or cloud metadata endpoints (169.254.169.254) even when ENABLE_RAG_LOCAL_WEB_FETCH=False. A working PoC is published in the GHSA advisory; there is no public exploit identified at time of analysis being actively used, and no CISA KEV listing.

Python SSRF Docker
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.

Python PostgreSQL Microsoft +6
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

{event_id}/update` endpoint validates write access only on the source calendar, silently omitting the destination `calendar_id` authorization check that `create_event` correctly enforces - a classic IDOR pattern. A verified public proof-of-concept exists against v0.9.4 (the official Docker image); the fix is available in v0.9.6. No CISA KEV listing was present in the input data, so widespread in-the-wild exploitation is unconfirmed.

Python Authentication Bypass XSS +1
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Traefik's Kubernetes Gateway provider exposes internal services (`api@internal`, `dashboard@internal`, `rest@internal`) on the data plane due to a namespace allowlist check evaluated against the wrong variable in multi-backendRef (WRR) HTTPRoute rules. Operators who configured `crossProviderNamespaces` to restrict which namespaces may reference cross-provider `TraefikService` backends find that restriction entirely bypassed for routes with two or more backendRefs, allowing an unprivileged route namespace to expose the Traefik API unauthenticated on the normal web entrypoint. A fully functional end-to-end proof-of-concept was included in the disclosure; no public exploit identifier at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Kubernetes Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

mTLS bypass in Traefik v3.6.17 through v3.7.2 allows unauthenticated remote clients to reach backends protected by router-specific client-certificate policies by negotiating over HTTP/3 (QUIC). The QUIC TLS configuration selector performs only an exact, case-sensitive SNI map lookup, so wildcard host rules (e.g. `*.example.com`) and mixed-case SNI values fall back to the default TLS configuration, which typically does not require a client certificate, while the HTTP routing layer still dispatches the request to the protected backend. Publicly available exploit code exists in the GitHub Security Advisory GHSA-9cr8-q42q-g8m7, but there is no public exploit identified at time of analysis indicating active in-the-wild abuse.

OpenSSL Information Disclosure Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated server-side request forgery in Crawl4AI's Docker API server (versions < 0.8.9) lets remote attackers reach internal services and cloud-metadata endpoints by supplying a proxy address that bypasses the crawl-URL validation. Because the Docker API is unauthenticated by default and the SSRF check was only applied to the crawl target - not to the proxy destination - an attacker can route Chromium's egress through an internal IP (e.g. AWS IMDSv1 at 169.254.169.254) and read the response verbatim from the crawl result. No public exploit is identified at time of analysis, but the reporter supplied a working PoC and EPSS risk is low (0.29%, 20th percentile).

Google SSRF Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-Side Request Forgery in Crawl4AI's Docker API server (versions <= 0.8.7) allows unauthenticated remote attackers to bypass the IPv4/IPv6 CIDR blocklist in validate_webhook_url/validate_url_destination by using IPv6 transition forms (NAT64, 6to4, IPv4-mapped, IPv4-compatible) or the unspecified address. Since the Docker API ships with jwt_enabled:false by default, attackers can pivot the server into fetching cloud metadata endpoints like 169.254.169.254, potentially exposing IAM credentials. No public exploit identified at time of analysis, but the upstream advisory (GHSA-4qqr-vv2q-cmr5) details the exact bypass payloads.

Docker SSRF Oracle
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Unauthenticated remote code execution in Crawl4AI's Docker API (versions <= 0.8.6) lets attackers escape the computed-fields expression sandbox and run arbitrary OS commands inside the container. The AST validator behind `_safe_eval_expression()` only blocked attribute names beginning with an underscore, so a crafted `JsonCssExtractionStrategy` schema can reach generator/frame attributes (`gi_frame`, `f_back`, `f_builtins`) to recover the real `__import__` and execute code. Because JWT auth is disabled by default, a single `POST /crawl` request suffices; publicly available exploit code exists (SSVC: PoC) and the vendor rates it CVSS 10.0, though EPSS is low at 0.45%.

Python Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Mutual-TLS bypass in Traefik v3.7.0 and v3.7.1 lets unauthenticated remote attackers reach backends protected by wildcard-router `TLSOptions` (for example `Host("*.example.com")` with `RequireAndVerifyClientCert`). The `SNICheck` domain-fronting middleware resolves TLS options for the HTTP `Host` header via exact map lookups only, so an attacker completing the TLS handshake under a permissive SNI on the same entrypoint can then send a `Host` header for the wildcard-protected backend and skip the client-certificate requirement. Publicly available exploit code exists in the GitHub Security Advisory PoC; this is independent of the prior HTTP/3 mTLS issue.

Kubernetes OpenSSL Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authenticated command injection in File Browser (github.com/filebrowser/filebrowser/v2 before 2.33.8) lets any user holding Execute permission bypass the command allowlist when a shell interpreter such as /bin/sh -c is configured. Because the allowlist validates only the first token while the full raw string is passed to the shell, an attacker chains arbitrary OS commands after a permitted one using metacharacters (;, |, backticks, $()), executing them at the server process privilege - root in the default Docker image. A detailed working PoC is published in the GHSA advisory; EPSS is very low (0.02%, 7th percentile) and the vulnerable Command Execution feature is disabled by default from 2.33.8 onward, including for upgraded existing installations.

Command Injection Docker
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Zip-slip path traversal in filebrowser v2.63.5 and earlier (Linux-hosted) allows any authenticated user with Create permission to plant a file whose name contains URL-encoded Windows-style backslash traversal sequences (`%5C`). The Linux server stores the file with a literal backslash in its name, which `filepath.ToSlash()` silently ignores, and the archive download handler emits that name verbatim into zip/tar central directories. When a Windows victim downloads and extracts the archive using Explorer, 7-Zip, WinRAR, or .NET `ZipFile.ExtractToDirectory`, the extractor interprets `\` as a path separator and writes files to arbitrary locations outside the extraction directory - enabling arbitrary file write on the victim's Windows machine. No public exploit identified at time of analysis beyond the full PoC published in the GHSA advisory; EPSS is 0.03% (8th percentile), consistent with the two-party, victim-interaction requirement.

Path Traversal Canonical Microsoft +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Symlink-following scope escape in File Browser (filebrowser/filebrowser v2 ≤ 2.63.13) lets a restricted, scoped user-and in the public-share case an unauthenticated recipient-read, overwrite, and share files outside their assigned directory whenever a symlink lexically inside their scope resolves to a target elsewhere on the server. The per-user BasePathFs root blocks lexical ../ traversal but the HTTP handlers dereference symlinks before serving, writing, or sharing, so any file the server process can reach is exposed. Publicly available proof-of-concept exploit code exists in the GHSA advisory; the issue is not in CISA KEV and EPSS is low (0.07%, 23rd percentile).

Path Traversal Docker
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated denial-of-service in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows remote attackers to exhaust CPU and memory by submitting arbitrarily large passwords to the public /api/login endpoint, which are then passed unchecked into the bcrypt-style CheckPwd hashing routine. Publicly available exploit code exists in the GitHub advisory PoC, and concurrent abuse can crash the container and even destabilize the host Docker daemon. EPSS is low (0.04%) and the issue is not in CISA KEV, but the trivial AV:N/AC:L/PR:N exploitation profile makes it a real availability risk for any internet-exposed instance.

Docker Denial Of Service Python
NVD GitHub
EPSS 0% CVSS 9.5
CRITICAL PATCH Act Now

Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as the live production Docker image without code review or merge approval. The flaw stems from a GitHub Actions deploy workflow that can be tricked into treating an unmerged pull request build as a main-branch deployment, then checking out the PR commit, building it, pushing it as the `latest` Docker tag, and triggering a Dokploy deployment. No public exploit identified at time of analysis, and CVE is not listed in CISA KEV.

Information Disclosure Docker
NVD GitHub VulDB
EPSS 0% CVSS 9.5
CRITICAL PATCH Act Now

Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote attackers to deploy malicious container images to production by opening a pull request from a branch named 'main'. The unprivileged build workflow's head_sha is consumed by a downstream privileged deploy workflow, which then builds and publishes attacker-controlled code as the 'latest' Docker image and triggers production rollout. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-9qf3-c86c-j346) documents the chain end-to-end.

Information Disclosure Docker
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.

Python Microsoft Docker +3
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outside the intended extraction directory when a victim loads a malicious model archive. The flaw stems from validating archive member paths against the process current working directory rather than the actual extraction destination, which collapses to the filesystem root in common Docker, CI/CD, and Jupyter setups. No public exploit identified at time of analysis, but the upstream fix and a Huntr bounty disclosure make targeted exploitation against ML pipelines plausible.

Path Traversal Python Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.

Python Authentication Bypass Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Route-level authentication bypass in Traefik's StripPrefix middleware allows unauthenticated remote attackers to reach protected backend endpoints (e.g., /admin, /internal/config) by crafting request paths such as /api../admin or /api%2e%2e/admin. The public router matches before path normalization, but StripPrefix subsequently normalizes the path via JoinPath() so the backend receives the protected path without the authentication middleware ever running. Publicly available exploit code exists (full PoC in the advisory), patches are released, and EPSS sits at 0.22% (45th percentile) with no CISA KEV listing.

Python Authentication Bypass Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Arbitrary directory deletion in julien040/anyquery 0.4.4 and earlier allows an authenticated low-privileged bearer-token holder to delete any directory accessible to the server process by submitting a SQL query that invokes clear_plugin_cache with a path-traversal payload. The flaw stems from path.Join silently resolving '..' segments before os.RemoveAll, and publicly available exploit code exists in the GitHub Security Advisory GHSA-j9rx-rppg-6hh4. Verified impact includes irreversible deletion of files outside the intended $XDG_CACHE_HOME/anyquery/plugins/ cache root, producing data loss and denial of service.

Python Docker Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.

Python Docker Microsoft +1
NVD GitHub
EPSS 0% CVSS 2.0
LOW PATCH Monitor

HTML injection in the 'fetch links' alert email feature of Thinkst Canarytokens allows unauthenticated remote attackers to embed malicious HTML and JavaScript into notification emails delivered to token owners (defenders). The vulnerability is notable because it weaponizes the deception platform's own alert mechanism against the security operators relying on it - turning a defensive tool into a phishing vector. Proof-of-concept exploit code exists (CVSS 4.0 E:P), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 base score of 2.0 reflects the limited, interaction-dependent impact.

Docker XSS
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

CSV Injection in Poweradmin's log export functionality allows a high-privileged attacker to embed spreadsheet formulas in usernames that execute when an administrator exports activity logs and opens the resulting CSV in Excel, LibreOffice Calc, or Google Sheets. All four log export controllers pass username fields directly to PHP's fputcsv() without neutralizing formula trigger characters (=, +, -, @), enabling phishing via rendered hyperlinks and silent data exfiltration via =IMPORTXML() or similar functions targeting victim administrators. Publicly available exploit code exists per GHSA-3h6h-67x3-cv5x; the vulnerability is not listed in CISA KEV.

Google PHP Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Code injection in the anyquery chrome_tabs plugin (and Brave/Edge/Safari variants) on macOS allows an authenticated SQL client to break out of an AppleScript URL property record and execute arbitrary `osascript` commands, including `do shell script` for OS-level command execution. The flaw affects anyquery 0.4.4 (commit 0abd460) and stems from unescaped string interpolation at plugins/chrome/tabs.go:141 and :169. Publicly available exploit code exists in the GHSA advisory (GHSA-hrj8-hjv8-mgwc), though no public exploit identified at time of analysis in mass-exploitation feeds and KEV does not list it.

Command Injection Code Injection Google +4
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Phar deserialization in PhpSpreadsheet (PHPOffice) is reachable on PHP 7.x because the `File::prohibitWrappers` helper added to patch CVE-2026-34084 can be bypassed with a three-slash phar URI such as `phar:///path/file.phar/inner`, where `parse_url` returns false and the wrapper check is skipped. Remote attackers who can supply a file path to `IOFactory::load()` achieve full RCE on PHP 7.x branches (1.x up to 1.30.4) and a phar file-read primitive on PHP 8.x branches up to 5.7.0; publicly available exploit code exists with a working Docker reproducer, though EPSS is only 0.04% (12th percentile).

PHP Docker Deserialization
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the `functionName` parameter of the `POST /runners/load-reader` endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the `require=null` sandbox is bypassed via `process.binding("spawn_sync")`. Publicly available exploit code exists (vendor-published PoC in the GHSA advisory), and the issue carries a CVSS 8.8 rating with low-complexity, low-privilege exploitation.

Privilege Escalation Code Injection RCE +2
NVD GitHub
EPSS 0%
CRITICAL POC PATCH Act Now

Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.

Python Privilege Escalation Command Injection +2
NVD GitHub
EPSS 0%
CRITICAL PATCH Act Now

Remote code execution in DbGate versions 7.1.8 and earlier allows network-adjacent attackers to achieve full container compromise via a Zip Slip flaw in the archive unzip endpoint. Because the default Docker deployment runs as root and the bundled 'none' authentication provider issues JWT tokens without credentials, any attacker reachable on the network can upload a malicious ZIP that writes files anywhere on the filesystem, including cron entries for code execution. Publicly available exploit code exists in the GHSA advisory itself, and an upstream patched release (7.1.9) is available.

Docker Python Path Traversal
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers execute arbitrary Node.js code by injecting JavaScript through the functionName parameter of the POST /runners/start JSON script runner. Default Docker deployments ship with Anonymous authentication enabled, making this exploitable without credentials (CVSS 10.0), and a public Nuclei template plus detailed PoC mean publicly available exploit code exists even though no CISA KEV listing was identified at time of analysis.

Docker Node.js RCE
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

DNS transaction ID entropy collapse in AdGuard Home (≤v0.107.74) and its underlying dnsproxy library (≤v0.81.2) reduces the backend UDP forwarding tuple from two random variables to one: the DNS ID is deterministically 0 on every client-triggered DoQ-to-UDP hop, leaving only the UDP source port as the sole remaining entropy variable. An off-path attacker who can inject spoofed ICMP error messages toward the resolver's egress address can exploit a reliable source-port oracle - confirmed across four consecutive runs for both products - to identify the correct backend socket state before injecting a forged DNS response, placing this attack in the same threat-model class as SAD DNS and TUdoor. No public exploit confirmed at time of analysis beyond the working oracle reproducer included in the advisory disclosure; the advisory is not listed in CISA KEV.

OpenSSL Race Condition Oracle +2
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Stored XSS in AVideo's YouTubeAPI plugin allows any YouTube video uploader whose video matches the AVideo operator's configured search keyword to inject arbitrary JavaScript into every visitor's browser via the homepage gallery section. The `snippet.title` field returned by the YouTube Data API is rendered verbatim across four HTML output sites in `plugin/YouTubeAPI/gallerySection.php`, three of which apply no encoding whatsoever; the fourth applies only a partial `str_replace` that strips double-quotes and leaves the other three sinks untouched. Publicly available exploit code is documented in GHSA-66q5-cj5g-wrfx; the payload persists for up to 3600 seconds (the default cache TTL) after the hostile video is removed from YouTube, and when the victim is an authenticated AVideo administrator the injected script can escalate to full administrative takeover via cookie-based requests lacking CSRF protection.

PHP XSS Docker +1
NVD GitHub
EPSS 0%
MEDIUM PATCH This Month

SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.

Denial Of Service Docker Python +1
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Functions, APIGateways, and FunctionEvents. The write paths construct PermissionOptions without setting MemberIds, causing the platform-layer FilterProjectsByPermissions to short-circuit and skip OPA enforcement entirely. Publicly available exploit code exists (detailed working PoC in the advisory), and the issue is fixed in Nuclio 1.16.0 via PR #4107.

Authentication Bypass Python Docker +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. Publicly available exploit code exists (detailed PoC including a Python script in the GHSA advisory), but there is no public exploit identified at time of analysis in CISA KEV and no EPSS score was provided.

Python Apache PHP +3
NVD GitHub
EPSS 0% CVSS 1.2
LOW Monitor

HTML injection in Thinkst Applied Research Canarytokens notification emails for 'Slow Redirect' and 'Cloned Website' token types allows an attacker who triggers those tokens to embed arbitrary HTML and JavaScript into the alert email sent to the operator. If the recipient opens the notification in an HTML-rendering email client, the injected content executes within that client's context, enabling interface manipulation and XSS. This affects self-hosted Docker deployments between tag sha-c42435e and sha-bfda4df; a proof of concept exists (CVSS E:P), though no public exploit confirmed active exploitation and CISA KEV listing is absent.

Docker XSS
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote command execution in openlabs docker-wkhtmltopdf-aas (up to commit 9f50579) allows unauthenticated attackers to run arbitrary OS commands by sending a crafted POST request to the app.py PDF conversion endpoint. The CVSS 9.8 rating reflects network-reachable, no-privilege, no-interaction exploitation, and while no public exploit identified at time of analysis, the referenced source line (app.py#L40) makes the injection sink trivially discoverable for any attacker reviewing the repository.

Docker Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in Docker Desktop versions 4.33.0 through 4.75.x allows a local low-privileged user inside a container to crash the underlying Linux VM by triggering unbounded recursion in the grpcfuse kernel module. The flaw is exercised by creating deeply nested directories on a bind-mounted host folder and forcing a dentry invalidation event, which panics the virtualization layer that backs the entire Docker engine. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Docker Information Disclosure
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Secret exfiltration in CloudPirates Open Source Helm Charts (prior to commit fcf9302) allows unauthenticated attackers to steal repository secrets, including Docker Hub credentials and tokens, by submitting a malicious fork pull request that triggers the pull-request.yaml GitHub Actions workflow in a privileged context. No public exploit is identified at time of analysis, but the attack pattern is a well-known pwn-request misconfiguration that requires no maintainer approval, and the CVSS score of 10.0 (Critical) with scope change reflects compromise of CI/CD secrets that extend beyond the workflow boundary.

Docker RCE Code Injection
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Unauthenticated arbitrary file read in PraisonAI's MCP server (pip/PraisonAI <= 4.6.39) allows remote callers to retrieve any file readable by the host user via the praisonai.workflow.show, praisonai.workflow.validate, and praisonai.deploy.validate tool handlers. The flaw is an incomplete fix for CVE-2026-44336: a hardening helper was applied to the rules.* tools but not to these adjacent workflow/deploy handlers, and the dispatcher still forwards unvalidated kwargs to handlers. Publicly available exploit code exists (working proof-of-concept in the advisory); no public exploit identified at time of analysis as a packaged exploit, but the advisory itself ships a runnable PoC.

Docker PostgreSQL Path Traversal +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-folder unauthorized file deletion in Admidio v5.0.9 allows any authenticated member with upload rights on a single folder to permanently destroy files stored in folders where they hold only view access. The vulnerability stems from a broken authorization boundary in modules/documents-files.php: the top-level upload-right check trusts an attacker-supplied folder_uuid URL parameter rather than the target file's actual parent folder, while the file_delete handler performs only a view-right check. This is confirmed as an incomplete fix of GHSA-rmpj-3x5m-9m5f (previously addressed in v5.0.7 but reintroduced by v5.0.9). A fully functional public proof-of-concept with step-by-step curl commands has been confirmed against a Docker deployment of v5.0.9; no public exploit identified at time of analysis as a weaponized tool, but the PoC lowers exploitation barrier significantly.

Docker PHP CSRF +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

SSRF deny-list bypass in Gotenberg v8 (<= 8.32.0) allows unauthenticated remote attackers to reach internal cloud metadata services (e.g., AWS/GCP/Azure IMDS at 169.254.169.254) by serving a crafted DNS AAAA record containing IPv6 6to4, NAT64, or deprecated site-local prefixes that the IsPublicIP allow-list fails to recognize. Publicly available exploit code exists via the GitHub Security Advisory PoC, and the Chromium URL-convert route returns the upstream response as a PDF, yielding a full-read SSRF that can leak IAM credentials. No vendor-released patch identified at time of analysis (advisory lists no fixed version).

Google Microsoft Docker +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.

Docker Microsoft Path Traversal +1
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL Act Now

Command injection in Dokploy 0.29.2 and earlier allows authenticated users with application create/edit permissions to execute arbitrary shell commands on the host by injecting metacharacters into branch names, repository URLs, or Docker credentials. The flaw stems from unsanitized template-literal interpolation passed to child_process.exec(), and at time of analysis no public exploit identified at time of analysis, but the vendor security advisory GHSA-3frc-cfh9-ch2c documents the issue.

Docker Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.

Docker File Upload Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Command injection in Dokploy 0.29.0 and earlier allows authenticated users to execute arbitrary OS commands on the host by deleting a Docker registry whose registryUrl contains shell metacharacters. The deleteRegistry function in packages/server/src/services/registry.ts passes registryUrl unescaped into docker logout, while the adjacent docker login call correctly uses shEscape() - making this a clear regression. No public exploit identified at time of analysis, but the root cause is documented in the vendor's GHSA advisory.

Docker Command Injection
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL Act Now

Authenticated command injection in Dokploy 0.26.6 and earlier enables any logged-in user to run arbitrary OS commands as root via the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated into shell commands without validation, yielding a CVSS 9.9 (Scope:Changed) issue affecting this self-hosted PaaS. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Docker Command Injection
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

{method_name} and /simple_execute/{method_name} endpoints, which call pickle.loads() on raw HTTP request bodies. The flaw scored CVSS 4.0 of 9.2 and has an upstream fix in commit d7441481, but no public exploit was identified at time of analysis; risk is amplified by the default Docker image running as root, leading to full container compromise.

Docker RCE Deserialization
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated arbitrary file read in Arcane (Docker management UI) versions ≤ 1.19.3 allows any low-privileged user to read any file accessible to the backend process by abusing Docker Compose `include:` directives. Because `CreateProject` skips include-path validation that `UpdateProject` enforces, an attacker can register a project whose compose file points at `/etc/passwd` or `/app/data/arcane.db`, then fetch the contents via the project file API - yielding stored password hashes and API keys for all users, enabling admin takeover and host RCE through Arcane's Docker control plane. No public exploit identified at time of analysis; vendor patch is available in 1.19.4.

Docker Path Traversal Privilege Escalation
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Command injection in AnythingLLM prior to 1.13.0 allows attackers chatting with an agent to execute arbitrary commands inside the server container by abusing the filesystem-search-files skill. The LLM-controlled pattern parameter is passed to ripgrep without a '--' end-of-options separator, letting a crafted pattern like '--pre=/bin/sh' coerce ripgrep into executing files as shell scripts. The default official Docker image ships with the filesystem plugin enabled, making typical deployments exploitable; no public exploit identified at time of analysis.

Docker Command Injection
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Broken access control in Pimcore's CustomReports bundle (composer package pimcore/pimcore, versions ≤ 12.3.5) lets an authenticated low-privileged backend user who holds only the generic `reports` permission read the full configuration of custom reports they were never granted access to. The report detail endpoint (`getAction`) validates only coarse `reports`/`reports_config` permissions, whereas the listing endpoint enforces per-report sharing rules through `loadForGivenUser()`; consequently a report hidden from a user's visible list can still be retrieved directly by name. A working proof-of-concept is published in the vendor's GitHub Security Advisory (GHSA-jwcc-gv4m-93x6), so publicly available exploit code exists, but there is no public evidence of active exploitation.

Docker PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

WordExportBundle in Pimcore CMS enforces only feature-level permission (`word_export`) at export initiation but performs no object-level authorization check against the target document element, constituting a broken object-level authorization (BOLA) flaw. Authenticated low-privileged backend users holding the `word_export` permission can supply arbitrary `type/id` parameters to `wordExportAction()` to export full content - including titles, descriptions, and body - from pages, snippets, emails, or objects they are explicitly denied `view` access to. A publicly available proof-of-concept script is included in the GitHub security advisory GHSA-332x-r494-54fq confirming practical exploitability; the vulnerability is not currently listed in CISA KEV.

Docker PHP Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in Nocturne Memory before 2.4.1 lets any network-adjacent client gain unauthenticated read/write/delete access to the full Knowledge-Graph API when operators deploy the default Docker configuration without setting API_TOKEN. Because the server binds to 0.0.0.0 with CORS allow_origins=["*"] and the BearerTokenAuthMiddleware silently disables auth on an empty token, an attacker on the same LAN can tamper with memory entries such as system://boot and core://* that auto-load into downstream MCP agent sessions, enabling persistent prompt-injection. There is no public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the source data.

Docker Authentication Bypass
NVD GitHub
EPSS 0%
MEDIUM PATCH This Month

VM escape in Kata Containers allows any Kubernetes user with pod-creation rights to break out of the VM sandbox and gain full read/write access to the host filesystem. All Kata Containers installations prior to commit ffa59ce3aa78 are affected when using the default configuration.toml, which enables the `virtio_fs_extra_args` and `kernel_params` pod annotations out of the box. An attacker crafts a pod with two annotations: one to redirect virtiofsd to serve the host root filesystem (`/`) into the guest VM, and a second to enable the agent debug console - after which the entire host filesystem is accessible from inside the supposedly isolated VM. A fully working proof-of-concept with confirmed output against Kata Containers 3.28.0 on Ubuntu 24.04 has been publicly disclosed; no public exploit confirmed as actively exploited (CISA KEV) at time of analysis.

Ubuntu Kubernetes Gitlab +3
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated write access to patient electronic health records in epa4all-client 1.2.4 and earlier exposes German Telematik Infrastruktur (ePA 3.0) deployments to unauthorized data manipulation. The REST adapter component ships with no authentication or authorization controls, allowing any adjacent-network caller to write arbitrary documents to any patient EHR accessible via the institution's SMC-B card. No public exploit code has been identified at time of analysis, but the CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms exploitation requires no credentials and minimal technical complexity once network-adjacent.

Authentication Bypass Docker Java
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Server-side request forgery in Karakeep self-hosted bookmark manager versions prior to 0.32.0 allows authenticated users to bypass internal-network protections by chaining attacker-controlled HTTP redirects, reaching Docker-internal services from the crawler and video download flows. Publicly available exploit code exists per SSVC, though EPSS is low at 0.03% and the issue is not in CISA KEV. Fixed in version 0.32.0.

Docker SSRF Karakeep
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

{id}/templates/variables endpoint, which lacks the checkAdmin() guard applied to every other admin-sensitive handler. Because global variables are merged into every project's compose file at deploy time, an attacker can redirect image pulls to a malicious registry to achieve cross-tenant supply-chain code execution on the Docker host, steal credentials from other users' deployments, or break every project on the instance. No public exploit identified at time of analysis, but the GHSA advisory documents the exact vulnerable code path.

Authentication Bypass Docker
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.

Python Apple RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's vllm-metal inference backend on macOS allows any container on the Docker network to trigger host-level RCE by pulling a malicious model from an OCI registry and requesting inference. The Docker Model Runner unconditionally sets trust_remote_code=True and runs without sandboxing, so AutoTokenizer.from_pretrained() loads attacker-controlled Python from the model and executes it as the Docker Desktop user. No public exploit identified at time of analysis; EPSS sits at 0.01% and SSVC marks exploitation as 'none' despite total technical impact.

Python Apple RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Enhanced Container Isolation (ECI) bypass in Docker Desktop allows a local low-privileged user with Docker CLI access to mount the Docker Engine socket into a container by invoking the --use-api-socket flag, granting full Docker Engine control and exposure of registry credentials. The flaw stems from the API proxy inspecting only HostConfig.Binds while the flag routes the mount through HostConfig.Mounts, slipping past ECI policy. No public exploit identified at time of analysis, but the issue was reported by Docker itself and disclosed via ZDI (ZDI-26-299).

Authentication Bypass Docker
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

PHP Python SQLi +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

Unauthenticated cross-origin MCP tool invocation in Network-AI v5.4.4 allows a remote attacker to lure a victim to a malicious web page that silently invokes any of the 22 exposed MCP tools (including config_set, agent_spawn, blackboard_write, and token_create/revoke) against the victim's locally running MCP SSE server. The vulnerability stems from an empty default secret combined with a wildcard CORS policy, and publicly available exploit code exists in the GHSA advisory demonstrating end-to-end exploitation. No CISA KEV listing yet and EPSS data was not provided, but the published PoC and trivial attack mechanics make this a meaningful risk for any user running the default Docker deployment.

Python RCE Docker
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

Node.js Docker Authentication Bypass +2
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Unauthenticated remote code execution in Penpot MCP module's ReplServer (npm @penpot/mcp < 2.15.0) allows anyone on the adjacent network to POST arbitrary JavaScript to a `/execute` endpoint and have it executed by the Node.js process. The flaw stems from Express defaulting the listen() bind address to 0.0.0.0 instead of localhost, combined with a complete absence of authentication on the REPL endpoint. No public exploit identified at time of analysis beyond the reporter's working PoC included in the GHSA advisory.

RCE Docker
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.

Python Denial Of Service Docker +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored cross-site scripting in Budibase self-hosted deployments (versions before 3.38.2) allows any authenticated user with Builder role - or any BASIC/POWER user with table WRITE permission - to upload SVG, HTML, or JavaScript files containing active content via the /api/attachments/process and /api/attachments/:tableId/upload endpoints. The files are stored in the configured object store (MinIO/S3) with their executable MIME types and served via signed URLs, so any end user viewing an attachment triggers script execution in their browser session. Publicly available exploit code exists (detailed PoC in the GHSA advisory); no public exploit identified in active campaigns at time of analysis.

Docker Redis CSRF +2
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

{id}/html-check`, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.

Java Docker SSRF +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.

Information Disclosure Kubernetes Python +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows unauthenticated attackers to crash the privileged instrumentation process by sending a crafted memcached storage command with an oversized `<bytes>` field. The integer overflow in the memcached text protocol parser produces a negative payload length that triggers a Go runtime panic in LargeBufferReader.Peek, halting telemetry collection until OBI is restarted. Publicly available exploit code exists in the GHSA-43g7-cwr8-q3jh advisory, but there is no public exploit identified beyond the PoC and the vulnerability is not listed in CISA KEV.

Docker RCE Denial Of Service +3
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.

PostgreSQL Docker Python +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 forwards raw Redis error replies verbatim into OTLP span status messages, enabling both information disclosure and telemetry injection against any deployment tracing Redis traffic. The `getRedisError` function in `pkg/ebpf/common/redis_detect_transform.go` applies only CRLF trimming before storing error text directly into `request.DBError.Description`, which `span.go` then exports as the span status message for every non-zero-status Redis span. A publicly available proof-of-concept demonstrates that caller-supplied values embedded in Redis error replies - including authentication credentials, tokens, and PII - are automatically propagated into OTLP collectors, dashboards, and log aggregators without requiring any special attacker position beyond the ability to trigger Redis errors. No public exploit identified at time of analysis beyond the included PoC; not in CISA KEV.

Redis Docker Information Disclosure +1
NVD GitHub
Prev Page 2 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy