CVE-2026-45627 getarcaneapp CVE debrief

Who should care

Organizations running Arcane Docker management interface versions prior to 1.19.0, particularly those with administrative interfaces exposed to networks where phishing or social engineering attacks are possible. Security teams responsible for container orchestration platforms and developers maintaining Arcane deployments.

Technical summary

The vulnerability exists in Arcane's logo endpoint where unsanitized user input is reflected into an SVG style element. The lack of output encoding allows HTML/script injection, while missing security headers enable script execution. The attack chain requires social engineering an authenticated admin to visit a malicious URL, after which the attacker's JavaScript runs with the victim's privileges and can access sensitive session credentials.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Arcane to version 1.19.0 or later to remediate the vulnerability.
• Implement Content-Security-Policy headers with strict script-src directives to mitigate XSS impact.
• Add X-Content-Type-Options: nosniff header to prevent MIME-type sniffing attacks.
• Review and sanitize all user-supplied parameters reflected into SVG or HTML content using context-appropriate encoding.
• Consider requiring authentication for the /api/app-images/logo endpoint if color customization is not needed for unauthenticated users.
• Monitor access logs for suspicious requests to /api/app-images/logo containing script tags or style block closures.
• Invalidate and rotate administrative JWT tokens if compromise is suspected.

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Technical details confirmed via GitHub Security Advisory GHSA-q2pj-8v84-9mh5. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as primary weakness. Fix version 1.19.0 confirmed in advisory.

Official resources