Product
high
advisory
Arcane Backend Unauthenticated Reflected XSS via SVG Color Parameter Enables Admin Account Takeover
2 rules 2 TTPsArcane Backend versions 1.18.1 and earlier are vulnerable to an unauthenticated reflected XSS (CVE-2026-45627) via the SVG color parameter, allowing attackers to inject executable script content and compromise admin accounts by enticing them to visit a malicious link.
Arcane Backend +1
xss
reflected-xss
github
arcane-backend
cve-2026-45627
2r
2t
critical
advisory
Arcane Git Repository Authentication Bypass Leads to Credential Exfiltration and GitOps Tampering (CVE-2026-45625)
2 rules 5 TTPs 1 IOCArcane's REST API lacks proper admin authorization checks on Git repository management endpoints, allowing any authenticated user to exfiltrate stored Git credentials and tamper with GitOps configurations by redirecting credential requests to an attacker-controlled host.
arcane backend +2
credential-access
privilege-escalation
supply-chain-compromise
denial-of-service
information-disclosure
cloud
authentication-bypass
2r
5t
1i