CVE-2026-39848
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
Dockyard before version 1.1.0 lacks CSRF protection for Docker container start and stop operations. An attacker can force a logged-in administrator's browser to send GET requests, allowing unauthorized container management.
Risk Assessment
The risk is that an attacker can remotely stop or start containers without the administrator's knowledge, potentially causing service disruption or unauthorized access to resources.
Recommendation
Immediately update Dockyard to version 1.1.0 or later, which includes a fix for the missing CSRF protection.
Original NVD description (English source)
Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop&name=<container> or /apps/action.php?action=start&name=<container>, which starts or stops the target container. This vulnerability is fixed in 1.1.0.

