Docker
Monthly
FastGPT versions 4.14.8.3 and below contain a critical arbitrary code execution vulnerability in the fastgpt-preview-image.yml GitHub Actions workflow that allows external contributors to execute malicious code and exfiltrate repository secrets. The vulnerability stems from unsafe use of pull_request_target with attacker-controlled Dockerfile builds that are pushed to the production container registry, enabling both direct compromise and supply chain attacks. No patch was available at the time of public disclosure, making this an unpatched remote code execution affecting the AI Agent building platform across affected versions.
WWBN AVideo open source video platform versions 25.0 and below ship with a hardcoded default administrator password ('password') in official Docker deployment files that is automatically used during installation without any forced change mechanism. Attackers can gain immediate administrative access to unpatched instances, enabling user data exposure, content manipulation, and potential remote code execution via file upload and plugin management features. The issue is compounded by weak MD5 password hashing and similarly insecure default database credentials (avideo/avideo).
A sandbox network isolation bypass vulnerability in OpenClaw allows trusted operators to escape container network boundaries and join other containers' network namespaces. OpenClaw versions before 2026.2.24 are affected, enabling attackers who have operator privileges to configure the docker.network parameter with 'container:<id>' values to reach services in target container namespaces and bypass network segmentation controls. The vulnerability has a critical CVSS score of 9.8 but requires trusted operator access, and there is no evidence of active exploitation in KEV or high EPSS probability.
Authenticated file read vulnerability in PHP and Docker deployments allows users to exfiltrate arbitrary files from the server by exploiting insufficient path validation in the video upload endpoint, which copies attacker-specified local files to publicly accessible storage. An authenticated attacker can leverage this to read sensitive files from broad server directories including application roots, cache, and temporary locations. No patch is currently available, and the vulnerability carries a 10% exploit prediction score.
JWT algorithm confusion in MinIO's OpenID Connect authentication enables attackers with knowledge of the OIDC ClientSecret to forge identity tokens and obtain S3 credentials with unrestricted IAM policies, including administrative access. Affected users can have their identities impersonated and their data accessed, modified, or deleted with 100% attack success rate. The vulnerability impacts MinIO deployments across Docker, Apple, and Microsoft platforms, with no patch currently available.
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.
Salvo web framework's form data parsing functions fail to enforce payload size limits before loading request bodies into memory, allowing attackers to trigger Out-of-Memory crashes by sending extremely large form payloads. This affects the Rust package salvo (pkg:rust/salvo) through multiple attack vectors including URL-encoded and multipart form data handling. A proof-of-concept demonstrates successful denial-of-service against containerized deployments with limited memory, and the vulnerability is publicly documented in GitHub security advisories GHSA-pp9r-xg4c-8j4x.
The NLTK (Natural Language Toolkit) WordNet Browser HTTP server contains an unauthenticated shutdown vulnerability that allows any remote attacker to terminate the service with a single GET request to the '/SHUTDOWN THE SERVER' endpoint. This affects users running nltk.app.wordnet_app in its default mode, where the server binds to all network interfaces without authentication. A proof-of-concept exploit is publicly available demonstrating the denial-of-service attack, though EPSS and KEV data are not yet available for this recent CVE.
A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
The SiYuan kernel, a Go-based note-taking application, contains an authentication bypass vulnerability in its WebSocket server that allows unauthenticated attackers to crash the kernel process through malformed JSON messages. SiYuan kernel versions exposed via Docker or network-accessible deployments are affected, with the issue stemming from unsafe type assertions on attacker-controlled input after bypassing authentication via a specific query parameter pattern. A proof-of-concept demonstrating the attack exists in the GitHub advisory, and while CVSS rates this as 7.5 High severity for availability impact, real-world exploitation risk depends heavily on network exposure beyond localhost.
Docker's IsSensitivePath() function uses an incomplete denylist that fails to restrict access to sensitive directories including /opt, /usr, /home, /mnt, and /media, allowing authenticated users with high privileges to read arbitrary files outside the intended workspace through the globalCopyFiles and importStdMd endpoints. An attacker with administrative credentials could exploit this path traversal vulnerability to access sensitive configuration files and data from other users or mounted volumes. No patch is currently available for this medium-severity issue.
The OneUptime monitoring platform (specifically version 10.0.23 and likely earlier versions) contains an authentication bypass vulnerability in its WhatsApp webhook handler that fails to verify the X-Hub-Signature-256 HMAC signature required by Meta/WhatsApp. Any unauthenticated remote attacker can send forged webhook payloads to manipulate notification delivery status records, suppress critical alerts, and corrupt audit trails. A working proof-of-concept exploit has been published demonstrating successful injection of arbitrary webhook events via simple HTTP POST requests with no authentication required.
Heimdall, an authorization decision API for Envoy proxy, contains a path traversal bypass vulnerability when used in gRPC decision API mode. Attackers can bypass non-wildcard path expression rules by appending query parameters to URLs, which causes incorrect URL encoding that prevents rule matching. A proof-of-concept is publicly available demonstrating the bypass, though exploitation requires heimdall to be configured with an insecure 'allow all' default rule (which is blocked by secure defaults since v0.16.0 unless explicitly disabled).
The @aborruso/ckan-mcp-server MCP server contains a Server-Side Request Forgery (SSRF) vulnerability in its ckan_package_search, sparql_query, and ckan_datastore_search_sql tools, which accept an arbitrary base_url parameter without validation, allowing attackers to scan internal networks, exfiltrate cloud metadata credentials (including IAM tokens from 169.254.169.254), and potentially execute injection attacks. The vulnerability affects the npm package @aborruso/ckan-mcp-server (pkg:npm/@aborruso/ckan-mcp-server) and requires prompt injection to exploit, making attack complexity high; a proof-of-concept exists demonstrating 9 unthrottled HTTP requests to a canary endpoint, and patch availability exists from the vendor.
An authorization bypass vulnerability in SiYuan Note v3.6.0 and earlier allows any authenticated user, including those with read-only 'Reader' role privileges, to execute arbitrary SQL commands through the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. This enables attackers to read, modify, or delete all data in the application's SQLite database, completely bypassing the application's role-based access controls. A detailed proof-of-concept demonstrates how Reader-role users can execute destructive SQL operations including dropping tables.
Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. No patch is currently available.
Docker TUS resumable upload handler allows authenticated users to trigger arbitrary `after_upload` hooks unlimited times by supplying a negative value in the Upload-Length header, causing command execution with zero bytes actually uploaded. The integer overflow flaw in the completion logic (CWE-190) bypasses file upload requirements and enables privilege escalation through hook execution. No patch is currently available.
SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.
SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.
Path traversal in Python and Docker import endpoints allows authenticated administrators to write files to arbitrary filesystem locations by injecting directory traversal sequences in multipart upload filenames, potentially enabling remote code execution through placement of malicious files in executable paths. The vulnerability affects the POST /api/import/importSY and POST /api/import/importZipMd endpoints which fail to sanitize user-supplied filenames before constructing file write paths. No patch is currently available.
Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.
A critical CORS misconfiguration in the Glances system monitoring tool's REST API allows any website to steal sensitive system information from users who visit a malicious page while having access to a Glances instance. The vulnerability affects all versions prior to 4.5.2 and enables cross-origin theft of system stats, configuration secrets, database passwords, API keys, and command-line arguments. A proof-of-concept is publicly available, though no active exploitation has been reported yet.
Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.
Glances web server exposes its REST API without authentication by default when started with the -w flag, allowing unauthenticated remote attackers to access sensitive system information including process details that may contain credentials such as passwords and API keys. The vulnerability affects Python and Docker deployments where Glances is exposed to untrusted networks due to the server binding to 0.0.0.0 with authentication disabled by default. A patch is available to address this configuration vulnerability.
A critical authentication bypass vulnerability in authlib's JWT signature verification allows attackers to forge arbitrary tokens by injecting their own cryptographic keys through the JWT header. The flaw affects all versions of authlib prior to 1.6.9 when applications use key resolution callbacks that can return None (common in JWKS-based authentication flows). A working proof-of-concept exists demonstrating complete authentication bypass, enabling attackers to impersonate any user or assume administrative privileges without valid credentials.
A arbitrary file access vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
CVE-2026-32704 is a security vulnerability (CVSS 6.5). Risk factors: public PoC available.
OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.
Path traversal via dagRunId in DAG execution endpoints.
Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.
Default credentials in netbox-docker before 2.5.0.
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network addresses and cloud metadata endpoints by providing malicious URLs during link creation, bypassing validation controls that exist elsewhere in the application. An attacker with valid credentials can exploit this to access Docker service hostnames, internal services, and sensitive metadata endpoints. No patch is currently available for this vulnerability affecting PHP-based LinkAce deployments.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.
OpenClaw versions up to 2026.2.15 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Local privilege escalation in Docker CLI for Windows (through version 29.1.5) lets a low-privileged user plant malicious CLI-plugin binaries that execute when a higher-privileged victim runs Docker. Because C:\ProgramData\Docker\cli-plugins does not exist by default, any local user can create it and drop trojanized binaries such as docker-compose.exe or docker-buildx.exe, which Docker Desktop or the CLI plugin manager will load and execute. EPSS is very low (0.01%) and there is no public exploit identified at time of analysis, but ZDI tracked the issue (ZDI-CAN-28304) and a vendor patch is available.
Path traversal in Kaniko 1.25.4 through 1.25.9 allows attackers to extract tar archives outside the intended destination directory, enabling arbitrary file writes on the build system. When combined with Docker credential helpers in registry authentication scenarios, this vulnerability can be leveraged for code execution within the Kaniko executor process. Docker and Kubernetes environments using the affected Kaniko versions are at risk.
and deploy AI models using Docker. versions up to 1.0.16 contains a security vulnerability (CVSS 7.5).
Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with.
Path traversal in Beszel hub's container API endpoints allows authenticated users, including those with read-only roles, to bypass validation and access arbitrary Docker Engine API endpoints on agent hosts through improper URL path construction. This exposure of sensitive infrastructure details affects Beszel versions prior to 0.18.4 and Docker integrations, with public exploit code already available. The vulnerability requires valid authentication but no special privileges, making it exploitable by low-privileged users in multi-tenant environments.
Privilege escalation in WireGuard Portal prior to version 2.1.3 allows authenticated non-admin users to gain full administrator access by modifying their own user profile with an IsAdmin flag set to true. The vulnerability exists because the server fails to properly validate and restrict the IsAdmin field during profile updates, allowing the privilege change to persist after re-authentication. Affected deployments require immediate patching to version 2.1.3 or later to prevent unauthorized administrative access.
OS command injection in bleon-ethical/api-gateway-deploy npm package version 1.0.0. Attack chain enables remote code execution through crafted API gateway deployment configuration.
Local privilege escalation via out-of-bounds memory read in Docker Desktop's grpcfuse kernel module (versions up to 4.61.0) on Linux, Windows, and macOS allows authenticated local attackers to achieve complete system compromise through manipulation of /proc/docker entries. The vulnerability requires local access and valid user credentials but enables reading and modifying arbitrary kernel memory with high impact on confidentiality, integrity, and availability. Docker Desktop 4.62.0 and later resolve this issue.
BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official documentation, as the exposed clamd ports (3310, 7357) can be targeted by attackers to send malicious documents that exhaust server resources or crash the scanning service. This vulnerability affects Ubuntu and Docker deployments since standard firewall rules do not restrict container traffic, and public exploit code exists. An unauthenticated remote attacker requires only network access to trigger the denial of service condition.
Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. [CVSS 3.3 LOW]
Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.
Trivy Action versions 0.31.0 through 0.33.1 allow remote code execution on GitHub Actions runners due to insufficient input sanitization when constructing shell environment variable exports. An attacker with repository access can inject shell metacharacters through action inputs to achieve arbitrary command execution in the runner context. The vulnerability requires high privileges to exploit and is addressed in version 0.34.0.
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. [CVSS 3.8 LOW]
Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers read any file on the server by supplying file:// URLs to the /execute_js, /screenshot, /pdf, and /html endpoints. Because the API validates no scheme, an attacker can exfiltrate /etc/passwd, /etc/shadow, application config, and process environment via /proc/self/environ - directly exposing credentials and API keys. Publicly documented in GitHub advisory GHSA-vx9w-5cx4-9796 with a working request example; no public exploit identified as active exploitation, and EPSS is low (0.06%, 19th percentile).
Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code in hooks that executes on the server. EPSS 0.28%.
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.
Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases) allows authenticated users to bypass authorization checks through specially crafted tuple configurations that mix type-bound public and non-public access policies. An attacker with valid credentials can exploit mismatched tuple assignments to gain unauthorized access to protected resources by leveraging lexicographic object ID ordering in the authorization engine. No patch is currently available.
Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. [CVSS 6.7 MEDIUM]
Command injection in OpenClaw's Docker sandbox execution allows authenticated users to manipulate the PATH environment variable and execute arbitrary commands within containers prior to version 2026.1.29. An attacker with valid credentials and ability to control environment variables could achieve code execution within the containerized AI assistant. A patch is available in version 2026.1.29 and later.
Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a contributor who can add or edit a repository's mkdocs.yml inject a malicious MkDocs `hooks` directive that runs on the TechDocs build server whenever TechDocs is configured with `runIn: local`. The flaw also affects documentation built in CI/CD via @techdocs/cli, which bundles the same package. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 8.8 reflects full host compromise of the build environment.
Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path).
Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. Public exploit code exists and no patch is currently available.
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. [CVSS 6.5 MEDIUM]
Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands on the host.
Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope and obtain an interactive root shell on out-of-scope containers. PoC available, patch in v9.0.3.
BentoML versions prior to 1.4.34 allow path traversal attacks through improperly validated file path fields in bentofile.yaml configurations, enabling attackers to embed arbitrary files from the victim's system into bento archives during the build process. This vulnerability can be exploited to exfiltrate sensitive data such as credentials, SSH keys, and environment variables into supply chain artifacts that may be pushed to registries or deployed in production environments. A patch is available in version 1.4.34.
Runtipi versions 3.7.0 through 4.6.x suffer from arbitrary command execution when authenticated users upload backups with malicious filenames containing shell metacharacters, which the BackupManager fails to sanitize before executing restore operations. An attacker with valid credentials can craft a backup filename like $(id).tar.gz to achieve remote code execution on the host server with the privileges of the Runtipi process. Public exploit code exists for this vulnerability, and patches are available in version 4.7.0 and later.
Arcane Docker management interface prior to 1.13.2 has missing authentication, allowing unauthenticated attackers to manage Docker containers, images, and networks on the host.
Tugtainer versions before 1.16.1 transmit authentication credentials through URL query parameters rather than request bodies, causing passwords to be exposed in server logs, browser history, and proxy logs. This exposure allows attackers with access to these logs or cached data to obtain valid credentials for the Docker container management system. Public exploit code exists for this vulnerability, and a patch is available in version 1.16.1.
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
Arcane Docker management tool before 1.13.0 has command injection in lifecycle labels. Container labels are passed to /bin/sh -c without sanitization, enabling RCE. PoC available.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can...
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests to internal networks. By configuring agents with malicious OpenAPI specifications, attackers can scan internal infrastructure and access internal services. PoC available, patch available.
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an application from an attacker-controlled repository using the Docker Compose build pack, the attacker achieves root code execution on the Coolify instance. PoC available, patch available.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. [CVSS 8.8 HIGH]
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.
A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application/service management permissions to execute arbitrary system commands as root on managed servers. The vulnerability stems from unsanitized database names being passed directly to shell commands, enabling full remote code execution. A public proof-of-concept exploit is available, and with an EPSS score of 0.41% (61st percentile), this represents a moderate real-world exploitation risk for organizations using vulnerable Coolify versions.
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 allow anyone who can reach the database port to authenticate with full read/write access to the backend datastore. Publicly available exploit code exists, though EPSS remains low (0.81%) and the vendor states the database port is not network-exposed by default in 1.0.1 and later, limiting realistic reach. There is no public exploit identified as actively used in the wild (not in CISA KEV).
MartialBE one-hub up to version 0.14.27 uses a hard-coded cryptographic key in the SESSION_SECRET environment variable of its default docker-compose.yml configuration, allowing remote attackers to potentially decrypt or forge session tokens with high attack complexity. The vulnerability requires non-standard deployment configurations and affects confidentiality rather than integrity or availability. Exploit code has been disclosed publicly, though active exploitation remains unconfirmed by CISA, and the vendor explicitly recommends against using the default Docker Compose example in production environments.
A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public PoC available. Vendor patch is available.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.
A security vulnerability in opsre go-ldap-admin (CVSS 5.6). Remediation should follow standard vulnerability management procedures.
A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.
The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.
Symlink following in DesktopCommanderMCP up to version 0.2.13 allows local authenticated attackers to read files outside intended directory boundaries through the isPathAllowed function in filesystem.ts. The vulnerability requires local access and authenticated user privileges, with high attack complexity and low exploitability difficulty despite public availability of proof-of-concept code. This affects only unsupported product versions and carries minimal real-world risk (CVSS 1.1, EPSS 0.02%), though the vendor acknowledges the issue as a guardrail limitation rather than a hardened security boundary.
Docker default credentials in Termix server management. PoC and patch available.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
FastGPT versions 4.14.8.3 and below contain a critical arbitrary code execution vulnerability in the fastgpt-preview-image.yml GitHub Actions workflow that allows external contributors to execute malicious code and exfiltrate repository secrets. The vulnerability stems from unsafe use of pull_request_target with attacker-controlled Dockerfile builds that are pushed to the production container registry, enabling both direct compromise and supply chain attacks. No patch was available at the time of public disclosure, making this an unpatched remote code execution affecting the AI Agent building platform across affected versions.
WWBN AVideo open source video platform versions 25.0 and below ship with a hardcoded default administrator password ('password') in official Docker deployment files that is automatically used during installation without any forced change mechanism. Attackers can gain immediate administrative access to unpatched instances, enabling user data exposure, content manipulation, and potential remote code execution via file upload and plugin management features. The issue is compounded by weak MD5 password hashing and similarly insecure default database credentials (avideo/avideo).
A sandbox network isolation bypass vulnerability in OpenClaw allows trusted operators to escape container network boundaries and join other containers' network namespaces. OpenClaw versions before 2026.2.24 are affected, enabling attackers who have operator privileges to configure the docker.network parameter with 'container:<id>' values to reach services in target container namespaces and bypass network segmentation controls. The vulnerability has a critical CVSS score of 9.8 but requires trusted operator access, and there is no evidence of active exploitation in KEV or high EPSS probability.
Authenticated file read vulnerability in PHP and Docker deployments allows users to exfiltrate arbitrary files from the server by exploiting insufficient path validation in the video upload endpoint, which copies attacker-specified local files to publicly accessible storage. An authenticated attacker can leverage this to read sensitive files from broad server directories including application roots, cache, and temporary locations. No patch is currently available, and the vulnerability carries a 10% exploit prediction score.
JWT algorithm confusion in MinIO's OpenID Connect authentication enables attackers with knowledge of the OIDC ClientSecret to forge identity tokens and obtain S3 credentials with unrestricted IAM policies, including administrative access. Affected users can have their identities impersonated and their data accessed, modified, or deleted with 100% attack success rate. The vulnerability impacts MinIO deployments across Docker, Apple, and Microsoft platforms, with no patch currently available.
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.
Salvo web framework's form data parsing functions fail to enforce payload size limits before loading request bodies into memory, allowing attackers to trigger Out-of-Memory crashes by sending extremely large form payloads. This affects the Rust package salvo (pkg:rust/salvo) through multiple attack vectors including URL-encoded and multipart form data handling. A proof-of-concept demonstrates successful denial-of-service against containerized deployments with limited memory, and the vulnerability is publicly documented in GitHub security advisories GHSA-pp9r-xg4c-8j4x.
The NLTK (Natural Language Toolkit) WordNet Browser HTTP server contains an unauthenticated shutdown vulnerability that allows any remote attacker to terminate the service with a single GET request to the '/SHUTDOWN THE SERVER' endpoint. This affects users running nltk.app.wordnet_app in its default mode, where the server binds to all network interfaces without authentication. A proof-of-concept exploit is publicly available demonstrating the denial-of-service attack, though EPSS and KEV data are not yet available for this recent CVE.
A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.
Budibase, a low-code platform distributed as a Docker/Kubernetes application, contains a Server-Side Request Forgery (SSRF) vulnerability in its REST datasource query preview endpoint. Authenticated admin users can force the server to make HTTP requests to arbitrary URLs including cloud metadata services, internal networks, and Kubernetes APIs. A detailed proof-of-concept exists demonstrating theft of GCP OAuth2 tokens with cloud-platform scope, CouchDB credential extraction, and internal service enumeration. The CVSS score of 8.7 reflects high confidentiality and integrity impact with changed scope, requiring high privileges but low attack complexity.
The SiYuan kernel, a Go-based note-taking application, contains an authentication bypass vulnerability in its WebSocket server that allows unauthenticated attackers to crash the kernel process through malformed JSON messages. SiYuan kernel versions exposed via Docker or network-accessible deployments are affected, with the issue stemming from unsafe type assertions on attacker-controlled input after bypassing authentication via a specific query parameter pattern. A proof-of-concept demonstrating the attack exists in the GitHub advisory, and while CVSS rates this as 7.5 High severity for availability impact, real-world exploitation risk depends heavily on network exposure beyond localhost.
Docker's IsSensitivePath() function uses an incomplete denylist that fails to restrict access to sensitive directories including /opt, /usr, /home, /mnt, and /media, allowing authenticated users with high privileges to read arbitrary files outside the intended workspace through the globalCopyFiles and importStdMd endpoints. An attacker with administrative credentials could exploit this path traversal vulnerability to access sensitive configuration files and data from other users or mounted volumes. No patch is currently available for this medium-severity issue.
The OneUptime monitoring platform (specifically version 10.0.23 and likely earlier versions) contains an authentication bypass vulnerability in its WhatsApp webhook handler that fails to verify the X-Hub-Signature-256 HMAC signature required by Meta/WhatsApp. Any unauthenticated remote attacker can send forged webhook payloads to manipulate notification delivery status records, suppress critical alerts, and corrupt audit trails. A working proof-of-concept exploit has been published demonstrating successful injection of arbitrary webhook events via simple HTTP POST requests with no authentication required.
Heimdall, an authorization decision API for Envoy proxy, contains a path traversal bypass vulnerability when used in gRPC decision API mode. Attackers can bypass non-wildcard path expression rules by appending query parameters to URLs, which causes incorrect URL encoding that prevents rule matching. A proof-of-concept is publicly available demonstrating the bypass, though exploitation requires heimdall to be configured with an insecure 'allow all' default rule (which is blocked by secure defaults since v0.16.0 unless explicitly disabled).
The @aborruso/ckan-mcp-server MCP server contains a Server-Side Request Forgery (SSRF) vulnerability in its ckan_package_search, sparql_query, and ckan_datastore_search_sql tools, which accept an arbitrary base_url parameter without validation, allowing attackers to scan internal networks, exfiltrate cloud metadata credentials (including IAM tokens from 169.254.169.254), and potentially execute injection attacks. The vulnerability affects the npm package @aborruso/ckan-mcp-server (pkg:npm/@aborruso/ckan-mcp-server) and requires prompt injection to exploit, making attack complexity high; a proof-of-concept exists demonstrating 9 unthrottled HTTP requests to a canary endpoint, and patch availability exists from the vendor.
An authorization bypass vulnerability in SiYuan Note v3.6.0 and earlier allows any authenticated user, including those with read-only 'Reader' role privileges, to execute arbitrary SQL commands through the /api/search/fullTextSearchBlock endpoint when the method parameter is set to 2. This enables attackers to read, modify, or delete all data in the application's SQLite database, completely bypassing the application's role-based access controls. A detailed proof-of-concept demonstrates how Reader-role users can execute destructive SQL operations including dropping tables.
Unauthenticated attackers can register administrator accounts in Docker when self-registration is enabled and default user permissions include admin privileges, as the signup handler fails to strip admin permissions from self-registered accounts. Public exploit code exists for this vulnerability. No patch is currently available.
Docker TUS resumable upload handler allows authenticated users to trigger arbitrary `after_upload` hooks unlimited times by supplying a negative value in the Upload-Length header, causing command execution with zero bytes actually uploaded. The integer overflow flaw in the completion logic (CWE-190) bypasses file upload requirements and enables privilege escalation through hook execution. No patch is currently available.
SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.
SiYuan Note contains an unrestricted path traversal vulnerability in the POST /api/import/importStdMd endpoint that allows authenticated administrators to recursively import arbitrary files from the host filesystem into the workspace database without any validation or blocklisting. Affected versions of SiYuan (pkg:go/github.com_siyuan-note_siyuan) allow admin users to permanently store sensitive files such as /proc/, /etc/, /run/secrets/, and other system directories as searchable note content, making them accessible to other workspace users including those with limited privileges. A proof-of-concept has been published demonstrating import of /proc/1/ and /run/secrets/, and when chained with separate SQL injection vulnerabilities in the renderSprig template function, non-admin users can retrieve imported secrets without additional privileges.
Path traversal in Python and Docker import endpoints allows authenticated administrators to write files to arbitrary filesystem locations by injecting directory traversal sequences in multipart upload filenames, potentially enabling remote code execution through placement of malicious files in executable paths. The vulnerability affects the POST /api/import/importSY and POST /api/import/importZipMd endpoints which fail to sanitize user-supplied filenames before constructing file write paths. No patch is currently available.
Administrative users of Docker and PostgreSQL deployments can exploit an incomplete path validation in the `POST /api/file/globalCopyFiles` endpoint to copy sensitive files like container environment variables and Docker secrets from restricted locations (`/proc/`, `/run/secrets/`) into the workspace, where they become readable via standard file APIs. The vulnerability stems from reliance on a blocklist-based validation mechanism that fails to prevent access to these critical system paths. Since no patch is currently available, organizations should restrict administrative access to the affected API endpoint until an update is released.
A critical CORS misconfiguration in the Glances system monitoring tool's REST API allows any website to steal sensitive system information from users who visit a malicious page while having access to a Glances instance. The vulnerability affects all versions prior to 4.5.2 and enables cross-origin theft of system stats, configuration secrets, database passwords, API keys, and command-line arguments. A proof-of-concept is publicly available, though no active exploitation has been reported yet.
Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.
Glances web server exposes its REST API without authentication by default when started with the -w flag, allowing unauthenticated remote attackers to access sensitive system information including process details that may contain credentials such as passwords and API keys. The vulnerability affects Python and Docker deployments where Glances is exposed to untrusted networks due to the server binding to 0.0.0.0 with authentication disabled by default. A patch is available to address this configuration vulnerability.
A critical authentication bypass vulnerability in authlib's JWT signature verification allows attackers to forge arbitrary tokens by injecting their own cryptographic keys through the JWT header. The flaw affects all versions of authlib prior to 1.6.9 when applications use key resolution callbacks that can return None (common in JWKS-based authentication flows). A working proof-of-concept exists demonstrating complete authentication bypass, enabling attackers to impersonate any user or assume administrative privileges without valid credentials.
A arbitrary file access vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
CVE-2026-32704 is a security vulnerability (CVSS 6.5). Risk factors: public PoC available.
OneUptime versions prior to 10.0.24 contain a sensitive information exposure vulnerability where the password reset flow logs complete password reset URLs containing plaintext reset tokens at the INFO log level, which is enabled by default in production environments. Any actor with access to application logs-including log aggregation systems, Docker logs, or Kubernetes pod logs-can extract these tokens and perform account takeover on any user. The vulnerability is fixed in version 10.0.24.
Path traversal via dagRunId in DAG execution endpoints.
Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.
Default credentials in netbox-docker before 2.5.0.
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network addresses and cloud metadata endpoints by providing malicious URLs during link creation, bypassing validation controls that exist elsewhere in the application. An attacker with valid credentials can exploit this to access Docker service hostnames, internal services, and sensitive metadata endpoints. No patch is currently available for this vulnerability affecting PHP-based LinkAce deployments.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. This affects the official Docker deployment configuration for PHP, Docker, and AVideo products.
OpenClaw versions up to 2026.2.15 is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
Local privilege escalation in Docker CLI for Windows (through version 29.1.5) lets a low-privileged user plant malicious CLI-plugin binaries that execute when a higher-privileged victim runs Docker. Because C:\ProgramData\Docker\cli-plugins does not exist by default, any local user can create it and drop trojanized binaries such as docker-compose.exe or docker-buildx.exe, which Docker Desktop or the CLI plugin manager will load and execute. EPSS is very low (0.01%) and there is no public exploit identified at time of analysis, but ZDI tracked the issue (ZDI-CAN-28304) and a vendor patch is available.
Path traversal in Kaniko 1.25.4 through 1.25.9 allows attackers to extract tar archives outside the intended destination directory, enabling arbitrary file writes on the build system. When combined with Docker credential helpers in registry authentication scenarios, this vulnerability can be leveraged for code execution within the Kaniko executor process. Docker and Kubernetes environments using the affected Kaniko versions are at risk.
and deploy AI models using Docker. versions up to 1.0.16 contains a security vulnerability (CVSS 7.5).
Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with.
Path traversal in Beszel hub's container API endpoints allows authenticated users, including those with read-only roles, to bypass validation and access arbitrary Docker Engine API endpoints on agent hosts through improper URL path construction. This exposure of sensitive infrastructure details affects Beszel versions prior to 0.18.4 and Docker integrations, with public exploit code already available. The vulnerability requires valid authentication but no special privileges, making it exploitable by low-privileged users in multi-tenant environments.
Privilege escalation in WireGuard Portal prior to version 2.1.3 allows authenticated non-admin users to gain full administrator access by modifying their own user profile with an IsAdmin flag set to true. The vulnerability exists because the server fails to properly validate and restrict the IsAdmin field during profile updates, allowing the privilege change to persist after re-authentication. Affected deployments require immediate patching to version 2.1.3 or later to prevent unauthorized administrative access.
OS command injection in bleon-ethical/api-gateway-deploy npm package version 1.0.0. Attack chain enables remote code execution through crafted API gateway deployment configuration.
Local privilege escalation via out-of-bounds memory read in Docker Desktop's grpcfuse kernel module (versions up to 4.61.0) on Linux, Windows, and macOS allows authenticated local attackers to achieve complete system compromise through manipulation of /proc/docker entries. The vulnerability requires local access and valid user credentials but enables reading and modifying arbitrary kernel memory with high impact on confidentiality, integrity, and availability. Docker Desktop 4.62.0 and later resolve this issue.
BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official documentation, as the exposed clamd ports (3310, 7357) can be targeted by attackers to send malicious documents that exhaust server resources or crash the scanning service. This vulnerability affects Ubuntu and Docker deployments since standard firewall rules do not restrict container traffic, and public exploit code exists. An unauthenticated remote attacker requires only network access to trigger the denial of service condition.
Arbitrary host file exfiltration from Cloud Hypervisor VMM versions 34.0-50.0. CVSS 10.0. Patch available.
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. [CVSS 3.3 LOW]
Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.
Trivy Action versions 0.31.0 through 0.33.1 allow remote code execution on GitHub Actions runners due to insufficient input sanitization when constructing shell environment variable exports. An attacker with repository access can inject shell metacharacters through action inputs to achieve arbitrary command execution in the runner context. The vulnerability requires high privileges to exploit and is addressed in version 0.34.0.
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. [CVSS 3.8 LOW]
Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers read any file on the server by supplying file:// URLs to the /execute_js, /screenshot, /pdf, and /html endpoints. Because the API validates no scheme, an attacker can exfiltrate /etc/passwd, /etc/shadow, application config, and process environment via /proc/self/environ - directly exposing credentials and API keys. Publicly documented in GitHub advisory GHSA-vx9w-5cx4-9796 with a working request example; no public exploit identified as active exploitation, and EPSS is low (0.06%, 19th percentile).
Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code in hooks that executes on the server. EPSS 0.28%.
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.
Improper policy enforcement in OpenFGA versions 1.8.5 through 1.11.2 (and corresponding Helm Chart and Docker releases) allows authenticated users to bypass authorization checks through specially crafted tuple configurations that mix type-bound public and non-public access policies. An attacker with valid credentials can exploit mismatched tuple assignments to gain unauthorized access to protected resources by leveraging lexicographic object ID ordering in the authorization engine. No patch is currently available.
Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. [CVSS 6.7 MEDIUM]
Command injection in OpenClaw's Docker sandbox execution allows authenticated users to manipulate the PATH environment variable and execute arbitrary commands within containers prior to version 2026.1.29. An attacker with valid credentials and ability to control environment variables could achieve code execution within the containerized AI assistant. A patch is available in version 2026.1.29 and later.
Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a contributor who can add or edit a repository's mkdocs.yml inject a malicious MkDocs `hooks` directive that runs on the TechDocs build server whenever TechDocs is configured with `runIn: local`. The flaw also affects documentation built in CI/CD via @techdocs/cli, which bundles the same package. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 8.8 reflects full host compromise of the build environment.
Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.
A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path).
Runtipi versions 4.5.0 through 4.7.1 contain an unauthenticated path traversal vulnerability in the UserConfigController that allows remote attackers to overwrite the docker-compose.yml configuration file through insecure URN parsing. An attacker can inject a malicious stack configuration that executes arbitrary code when the instance restarts, achieving full remote code execution and host compromise. Public exploit code exists and no patch is currently available.
malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. [CVSS 6.5 MEDIUM]
Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands on the host.
Critical access control flaw in Dozzle Docker log viewer allows users restricted by label filters to escape their scope and obtain an interactive root shell on out-of-scope containers. PoC available, patch in v9.0.3.
BentoML versions prior to 1.4.34 allow path traversal attacks through improperly validated file path fields in bentofile.yaml configurations, enabling attackers to embed arbitrary files from the victim's system into bento archives during the build process. This vulnerability can be exploited to exfiltrate sensitive data such as credentials, SSH keys, and environment variables into supply chain artifacts that may be pushed to registries or deployed in production environments. A patch is available in version 1.4.34.
Runtipi versions 3.7.0 through 4.6.x suffer from arbitrary command execution when authenticated users upload backups with malicious filenames containing shell metacharacters, which the BackupManager fails to sanitize before executing restore operations. An attacker with valid credentials can craft a backup filename like $(id).tar.gz to achieve remote code execution on the host server with the privileges of the Runtipi process. Public exploit code exists for this vulnerability, and patches are available in version 4.7.0 and later.
Arcane Docker management interface prior to 1.13.2 has missing authentication, allowing unauthenticated attackers to manage Docker containers, images, and networks on the host.
Tugtainer versions before 1.16.1 transmit authentication credentials through URL query parameters rather than request bodies, causing passwords to be exposed in server logs, browser history, and proxy logs. This exposure allows attackers with access to these logs or cached data to obtain valid credentials for the Docker container management system. Public exploit code exists for this vulnerability, and a patch is available in version 1.16.1.
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
Arcane Docker management tool before 1.13.0 has command injection in lifecycle labels. Container labels are passed to /bin/sh -c without sanitization, enabling RCE. PoC available.
The Ruckus vRIoT IoT Controller firmware versions prior to 3.0.0.0 (GA) contain hardcoded credentials for an operating system user account within an initialization script. The SSH service is network-accessible without IP-based restrictions. Although the configuration disables SCP and pseudo-TTY allocation, an attacker can authenticate using the hardcoded credentials and establish SSH local port forwarding to access the Docker socket. By mounting the host filesystem via Docker, an attacker can...
LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests to internal networks. By configuring agents with malicious OpenAPI specifications, attackers can scan internal infrastructure and access internal services. PoC available, patch available.
Spinnaker is an open source, multi-cloud continuous delivery platform. Versions prior to 2025.1.6, 2025.2.3, and 2025.3.0 are vulnerable to server-side request forgery. [CVSS 7.9 HIGH]
Coolify before 4.0.0-beta.445 allows command injection through docker-compose.yaml parameters. If a victim creates an application from an attacker-controlled repository using the Docker Compose build pack, the attacker achieves root code execution on the Coolify instance. PoC available, patch available.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. [CVSS 8.8 HIGH]
An authenticated command injection vulnerability in Coolify's PostgreSQL initialization script handling allows attackers with application/service management permissions to execute arbitrary commands as root on managed servers. The vulnerability affects all Coolify versions prior to 4.0.0-beta.451 and enables full remote code execution through unsanitized PostgreSQL init script filenames passed to shell commands. A public proof-of-concept exploit is available, and while not currently in CISA KEV, the vulnerability has a moderate EPSS score of 0.41% indicating some exploitation probability.
A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application/service management permissions to execute arbitrary system commands as root on managed servers. The vulnerability stems from unsanitized database names being passed directly to shell commands, enabling full remote code execution. A public proof-of-concept exploit is available, and with an EPSS score of 0.41% (61st percentile), this represents a moderate real-world exploitation risk for organizations using vulnerable Coolify versions.
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 allow anyone who can reach the database port to authenticate with full read/write access to the backend datastore. Publicly available exploit code exists, though EPSS remains low (0.81%) and the vendor states the database port is not network-exposed by default in 1.0.1 and later, limiting realistic reach. There is no public exploit identified as actively used in the wild (not in CISA KEV).
MartialBE one-hub up to version 0.14.27 uses a hard-coded cryptographic key in the SESSION_SECRET environment variable of its default docker-compose.yml configuration, allowing remote attackers to potentially decrypt or forge session tokens with high attack complexity. The vulnerability requires non-standard deployment configurations and affects confidentiality rather than integrity or availability. Exploit code has been disclosed publicly, though active exploitation remains unconfirmed by CISA, and the vendor explicitly recommends against using the default Docker Compose example in production environments.
A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public PoC available. Vendor patch is available.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.
A security vulnerability in opsre go-ldap-admin (CVSS 5.6). Remediation should follow standard vulnerability management procedures.
A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.
The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Generation of Code ('Code Injection') vulnerability in Progress DataDirect Connect for JDBC drivers, Progress DataDirect Open Access JDBC driver and Hybrid Data Pipeline allows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.
Symlink following in DesktopCommanderMCP up to version 0.2.13 allows local authenticated attackers to read files outside intended directory boundaries through the isPathAllowed function in filesystem.ts. The vulnerability requires local access and authenticated user privileges, with high attack complexity and low exploitability difficulty despite public availability of proof-of-concept code. This affects only unsupported product versions and carries minimal real-world risk (CVSS 1.1, EPSS 0.02%), though the vendor acknowledges the issue as a guardrail limitation rather than a hardened security boundary.
Docker default credentials in Termix server management. PoC and patch available.
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.1.102 and Application prior to version 25.1.1413 (VA/SaaS deployments) contain two hardcoded private keys that are. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.