{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45627/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Arcane Backend (\u003c= 1.18.1)","github.com/getarcaneapp/arcane/backend"],"_cs_severities":["high"],"_cs_tags":["xss","reflected-xss","github","arcane-backend","cve-2026-45627"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eArcane Backend versions 1.18.1 and earlier are vulnerable to an unauthenticated reflected cross-site scripting (XSS) vulnerability via the \u003ccode\u003ecolor\u003c/code\u003e query parameter in the \u003ccode\u003e/api/app-images/logo\u003c/code\u003e endpoint. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application\u0026rsquo;s origin by crafting a malicious SVG image. Because the application lacks proper input validation, sanitization, and Content-Security-Policy (CSP) headers, an attacker can exploit this vulnerability to steal sensitive information such as admin JWT cookies, create new admin accounts, and gain full control over the Arcane Backend. The vulnerability is due to the direct use of user-controlled input within an SVG style tag without proper escaping.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious URL targeting the \u003ccode\u003e/api/app-images/logo\u003c/code\u003e endpoint, embedding XSS payload within the \u003ccode\u003ecolor\u003c/code\u003e query parameter, such as \u003ccode\u003ecolor=red}\u0026lt;/style\u0026gt;\u0026lt;script\u0026gt;fetch('/api/users',...)\u0026lt;/script\u0026gt;\u0026lt;style\u0026gt;x{\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim, a logged-in administrator, is enticed to visit the malicious URL through phishing or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eThe Arcane Backend processes the request without authentication, as the \u003ccode\u003eSecurity\u003c/code\u003e parameter is explicitly empty for this route.\u003c/li\u003e\n\u003cli\u003eThe backend\u0026rsquo;s \u003ccode\u003eapplyAccentColorToSVG\u003c/code\u003e function in \u003ccode\u003ebackend/internal/services/app_images_service.go\u003c/code\u003e uses \u003ccode\u003estrings.ReplaceAll\u003c/code\u003e to inject the attacker-controlled \u003ccode\u003ecolor\u003c/code\u003e value into the \u003ccode\u003elogo.svg\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe modified SVG image, containing the embedded XSS payload, is returned to the victim\u0026rsquo;s browser with the \u003ccode\u003eimage/svg+xml\u003c/code\u003e Content-Type.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the injected JavaScript code within the Arcane Backend\u0026rsquo;s origin due to the absence of CSP and \u003ccode\u003eX-Content-Type-Options\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eThe injected script steals the administrator\u0026rsquo;s \u003ccode\u003e__Host-token\u003c/code\u003e / \u003ccode\u003etoken\u003c/code\u003e HttpOnly JWT cookie and uses it to make authenticated requests.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the stolen cookie to create a new administrator account via \u003ccode\u003ePOST /api/users\u003c/code\u003e, gaining persistent access to the Arcane Backend.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows a remote attacker to execute arbitrary JavaScript code in the context of a logged-in Arcane Backend administrator. This can lead to complete account compromise, including the ability to create persistent attacker-controlled admin accounts. Given that Arcane manages Docker daemons, container exec, image registries, and GitOps repositories, the attacker can also read/modify secrets stored in environments, registries, and Git repositories the admin can access, start or exec into containers on connected Docker hosts, leading to a full compromise of the Arcane infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to a patched version of Arcane Backend that addresses CVE-2026-45627.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Arcane Backend CVE-2026-45627 XSS Attempt via App Images Logo\u003c/code\u003e to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement the following HTTP response headers on all responses, especially to \u003ccode\u003e/api/app-images/*\u003c/code\u003e: \u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e and \u003ccode\u003eContent-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src 'self' data:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eServe static images with \u003ccode\u003eContent-Disposition: inline\u003c/code\u003e and from a separate cookie-less origin to mitigate potential same-origin session riding.\u003c/li\u003e\n\u003cli\u003eEnforce a strict allowlist on the settings write path (\u003ccode\u003eSettingsService\u003c/code\u003e → \u003ccode\u003eAccentColor\u003c/code\u003e) to prevent stored XSS variants.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T14:19:55Z","date_published":"2026-05-18T14:19:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-arcane-xss/","summary":"Arcane Backend versions 1.18.1 and earlier are vulnerable to an unauthenticated reflected XSS (CVE-2026-45627) via the SVG color parameter, allowing attackers to inject executable script content and compromise admin accounts by enticing them to visit a malicious link.","title":"Arcane Backend Unauthenticated Reflected XSS via SVG Color Parameter Enables Admin Account Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-arcane-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45627","version":"https://jsonfeed.org/version/1.1"}