CVE Catalog

CVE-2026-39848

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile - higher than 11% of all known CVEs

Summary

Dockyard before version 1.1.0 lacks CSRF protection for Docker container start and stop operations. An attacker can force a logged-in administrator's browser to send GET requests, allowing unauthorized container management.

Risk Assessment

The risk is that an attacker can remotely stop or start containers without the administrator's knowledge, potentially causing service disruption or unauthorized access to resources.

Recommendation

Immediately update Dockyard to version 1.1.0 or later, which includes a fix for the missing CSRF protection.

Original NVD description (English source)

Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop&name=<container> or /apps/action.php?action=start&name=<container>, which starts or stops the target container. This vulnerability is fixed in 1.1.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS