Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-9mvm-4gwg-v8mp | Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter |
Tue, 02 Jun 2026 00:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 29 May 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getarcaneapp
Getarcaneapp arcane |
|
| Vendors & Products |
Getarcaneapp
Getarcaneapp arcane |
Fri, 29 May 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body. | |
| Title | Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter | |
| Weaknesses | CWE-78 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-01T22:35:13.407Z
Reserved: 2026-05-12T20:31:43.449Z
Link: CVE-2026-45626
Updated: 2026-06-01T22:35:07.795Z
Status : Deferred
Published: 2026-05-29T18:17:10.483
Modified: 2026-05-29T20:25:00.760
Link: CVE-2026-45626
No data.
OpenCVE Enrichment
Updated: 2026-05-29T19:00:06Z
Github GHSA