VDB

CVE-2026-23520

CVE-2026-23520 PUBLISHED CVSS 9.100000381469727 CRITICAL

Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE

EPSS 0.04% · 13.0th percentile

Risk Scores

CVSS 3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score
0.04%
13.0th percentile

Affected Products

VendorProductVersions
github.comgetarcaneapp/arcane/backend0, 0
arcanearcane0, 0
getarcaneapparcane< 1.13.0, < 1.13.0

Timeline

  • Jan 14, 2026 Fix PR Merged
  • Jan 15, 2026 CVE Published
  • Jan 15, 2026 PoC Published
  • Jan 15, 2026 PoC Published
  • Jan 16, 2026 EPSS Score
  • Jan 19, 2026 EPSS Score
  • Jan 19, 2026 PoC Published
  • Jan 22, 2026 EPSS Score
  • Jan 24, 2026 PoC Published
  • Jan 24, 2026 PoC Published
  • Jan 24, 2026 PoC Published
  • Jan 24, 2026 PoC Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›