Executive Summary

CVE-2026-45627 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability in the Arcane application (versions up to 1.18.1). It occurs because the application reflects a user-supplied 'color' query parameter into an SVG document without proper escaping. This allows an attacker to close the existing <style> block and inject malicious <script> content inside the SVG.

Since the response is served as image/svg+xml and Arcane does not set security headers like Content-Security-Policy or X-Content-Type-Options, an attacker can craft a URL that, when visited by a logged-in admin, executes attacker-controlled JavaScript in Arcane's origin.

This script execution can hijack the victim's HttpOnly JWT cookie, leading to full compromise of the admin account.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to fully compromise an admin account in the Arcane application by executing arbitrary JavaScript in the context of the application.

• The attacker can hijack the admin's session via the HttpOnly JWT cookie.
• They can create persistent admin accounts.
• They gain access to sensitive secrets.
• They can control Docker containers, registries, and GitOps repositories managed by Arcane.

The attack requires minimal user interaction, only that the victim clicks a crafted link.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the `/api/app-images/logo` endpoint for reflected Cross-Site Scripting (XSS) via the `color` query parameter. Specifically, sending crafted requests with malicious payloads in the `color` parameter and observing if the response SVG document reflects the input without proper escaping indicates the presence of the vulnerability.

A simple detection method is to use curl or similar HTTP clients to send a request with a payload that attempts to break out of the style block and inject script tags. For example:

• curl -i "http://<arcane-host>/api/app-images/logo?color=%3C%2Fstyle%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E"

If the response contains the injected `<script>alert(1)</script>` inside the SVG, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the Arcane application to version 1.19.0 or later, where this vulnerability is fixed.

Additional mitigations involve adding security headers such as Content-Security-Policy and X-Content-Type-Options to prevent execution of injected scripts.

Validating and sanitizing user input on the `color` query parameter to prevent injection of malicious content is also recommended.

Serving images from a separate origin can help isolate the SVG content and reduce the impact of such attacks.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to fully compromise an admin account by executing malicious JavaScript in the context of the application, leading to session hijacking and unauthorized access to sensitive data and control over Docker containers and related resources.

Such unauthorized access and potential data breaches can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.

Failure to implement proper input validation, security headers, and isolation of content as described in the vulnerability increases the risk of violating these regulations due to exposure of personal or sensitive information.

Useful 0 Not Useful 0