CVE Catalog

CVE-2026-47174

CriticalCVSS 9.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.04%

14th percentile — higher than 14% of all known CVEs

Summary

In Duck Site before version 1.0.1, there is a vulnerability related to the deployment process that can be triggered by malicious code in a pull request. An attacker can exploit this flaw to deploy a malicious Docker image to production without merging the code.

Risk Assessment

The organization may be exposed to the deployment of malicious software, which can lead to serious consequences such as data loss or security breaches.

Recommendation

It is recommended to update Duck Site to version 1.0.1 or later to eliminate this vulnerability and to review and monitor pull requests for potential threats.

Original NVD description (English source)

In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow’s main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS