CRITICAL9.9CVE-2026-45625Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs from 0, < 1.19.0
CRITICAL9.0CVE-2026-23520Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE in github.com/getarcaneapp/arcane/backend from 0, < 0.0.0-20260114065515-5a9c2f92e11f
CRITICAL9.0Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE in github.com/getarcaneapp/arcane/backend
from 0, < 0.0.0-20260114065515-5a9c2f92e11f
HIGH8.8Arcane: Missing admin authorization on global variables endpoint
from 0, < 1.19.2
HIGH8.2Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover
from 0, < 1.19.0
HIGH7.7Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives
from 0, < 1.19.4
HIGH7.2Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint
from 0, < 1.17.3
MEDIUM6.3Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter
from 0, <= 1.18.1
—Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)
from 0, < 1.18.0