Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account. This vulnerability is fixed in 1.19.0.
Published: 2026-05-29
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arcane, an interface for managing Docker containers, exposed a reflected XSS flaw in the GET /api/app-images/logo endpoint. The color query parameter is substituted directly into an SVG <style> block without escaping, allowing an attacker to close the style element and inject executable <script> code. When an authenticated administrator views the crafted URL, the malicious JavaScript runs in Arcane’s origin context and can read the HttpOnly JWT cookie, granting full control of the admin account. This constitutes a true account takeover scenario.

Affected Systems

The vulnerability affects versions of the Arcane application from getarcaneapp:arcane prior to 1.19.0. Any deployment running a build older than 1.19.0 is vulnerable; later versions include the fix for the color sanitisation and proper response headers.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. EPSS is not publicly available, but the lack of Content‑Security‑Policy or X‑Content‑Type‑Options headers and the ability to target logged‑in admins via a simple crafted URL suggest a moderate to high likelihood of exploitation. The likely attack vector is an unauthenticated attacker delivering a malicious link that the victim clicks, causing the injected script to execute. Although not listed in the CISA KEV catalog, its high impact and ease of exploitation warrant immediate attention.

Generated by OpenCVE AI on May 29, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Arcane to version 1.19.0 or later where the SVG color sanitisation and response headers are correctly implemented.
  • After upgrading, configure a Content‑Security‑Policy header to restrict script sources and enable X‑Content‑Type‑Options to prevent MIME‑type sniffing.
  • Verify that the /api/app-images/logo endpoint no longer reflects user input by testing with malicious color values; ensure any old archived images are removed from the server.

Generated by OpenCVE AI on May 29, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q2pj-8v84-9mh5 Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover
History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Getarcaneapp
Getarcaneapp arcane
Vendors & Products Getarcaneapp
Getarcaneapp arcane

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account. This vulnerability is fixed in 1.19.0.
Title Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Getarcaneapp Arcane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T17:31:14.391Z

Reserved: 2026-05-12T20:31:43.449Z

Link: CVE-2026-45627

cve-icon Vulnrichment

Updated: 2026-05-29T17:31:04.842Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:10.647

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-45627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')