Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-q2pj-8v84-9mh5 | Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover |
Fri, 29 May 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 29 May 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Getarcaneapp
Getarcaneapp arcane |
|
| Vendors & Products |
Getarcaneapp
Getarcaneapp arcane |
Fri, 29 May 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account. This vulnerability is fixed in 1.19.0. | |
| Title | Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-29T17:31:14.391Z
Reserved: 2026-05-12T20:31:43.449Z
Link: CVE-2026-45627
Updated: 2026-05-29T17:31:04.842Z
Status : Deferred
Published: 2026-05-29T18:17:10.647
Modified: 2026-05-29T20:25:00.760
Link: CVE-2026-45627
No data.
OpenCVE Enrichment
Updated: 2026-05-29T19:00:06Z
Github GHSA