CVE-2026-23846CRITICAL 9.1EPSS p31.9%

CVE-2026-23846CVE-2026-23846

Description

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.40% probability of exploitation · percentile 31.9% · 2026-06-18T12:00:27Z
Published2026-01-19
Last modified2026-02-05

Underlying weaknesses· 1

CWE-598

References

  1. https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52
  2. https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p

1

TypeTargetConfidenceTier
WeaknessUse of HTTP Request With Sensitive Query Stringcwe-5980%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-69201
CVE
CVE-2026-4404
CVE
CVE-2026-44883
CVE
CVE-2026-33588
CVE
CVE-2026-22908
CVE
CVE-2026-32045
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.