CVE-2026-45627

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.19.0

Description The unauthenticated 'GET /api/app-images/logo' endpoint reflects a user-supplied color query parameter into the body of an SVG document using strings.ReplaceAll without proper escaping. This substitution occurs within a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Since the response is served as image/svg+xml and lacks Content-Security-Policy or X-Content-Type-Options headers, an attacker can trick a logged-in administrator into visiting a crafted URL. This executes attacker-controlled JavaScript within the application's origin, utilizing the victim's HttpOnly JWT cookie to fully compromise the admin account. This can lead to the creation of unauthorized admin accounts, access to secrets, and control over connected Docker hosts.

Recommendations Update to version 1.19.0. As a temporary mitigation, restrict access to the 'GET /api/app-images/logo' endpoint. Implement the X-Content-Type-Options: nosniff header on all responses. Apply a Content-Security-Policy (CSP) to SVG image responses, such as default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:.