Search criteria
2 vulnerabilities by Quenary
CVE-2026-23846 (GCVE-0-2026-23846)
Vulnerability from cvelistv5 – Published: 2026-01-19 19:42 – Updated: 2026-01-20 14:40
VLAI?
Title
Tugtainer vulnerable to Password Exposure via URL Query Parameter
Summary
Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.
Severity ?
8.1 (High)
CWE
- CWE-598 - Use of GET Request Method With Sensitive Query Strings
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23846",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:39:41.231564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:40:03.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tugtainer",
"vendor": "Quenary",
"versions": [
{
"status": "affected",
"version": "\u003c 1.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598: Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T19:42:35.581Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p"
},
{
"name": "https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52"
}
],
"source": {
"advisory": "GHSA-f2qf-f544-xm4p",
"discovery": "UNKNOWN"
},
"title": "Tugtainer vulnerable to Password Exposure via URL Query Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23846",
"datePublished": "2026-01-19T19:42:35.581Z",
"dateReserved": "2026-01-16T15:46:40.843Z",
"dateUpdated": "2026-01-20T14:40:03.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69201 (GCVE-0-2025-69201)
Vulnerability from cvelistv5 – Published: 2025-12-29 15:51 – Updated: 2025-12-29 16:50
VLAI?
Title
Tugtainer has RCE in Agent Command Execution Api
Summary
Tugtainer is a self-hosted app for automating updates of docker containers. In versions prior to 1.15.1, arbitary arguments can be injected in tugtainer-agent `POST api/command/run`. Version 1.15.1 fixes the issue.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-69201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-29T16:42:38.826048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T16:50:49.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tugtainer",
"vendor": "Quenary",
"versions": [
{
"status": "affected",
"version": "\u003c 1.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tugtainer is a self-hosted app for automating updates of docker containers. In versions prior to 1.15.1, arbitary arguments can be injected in tugtainer-agent `POST api/command/run`. Version 1.15.1 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-29T15:51:41.461Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Quenary/tugtainer/security/advisories/GHSA-grc3-8w5x-g54q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Quenary/tugtainer/security/advisories/GHSA-grc3-8w5x-g54q"
},
{
"name": "https://github.com/Quenary/tugtainer/pull/88",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Quenary/tugtainer/pull/88"
},
{
"name": "https://github.com/Quenary/tugtainer/commit/dbb17d843e30fd7509acf0328c913dcb42f40831",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Quenary/tugtainer/commit/dbb17d843e30fd7509acf0328c913dcb42f40831"
},
{
"name": "https://github.com/Quenary/tugtainer/releases/tag/v1.15.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Quenary/tugtainer/releases/tag/v1.15.1"
}
],
"source": {
"advisory": "GHSA-grc3-8w5x-g54q",
"discovery": "UNKNOWN"
},
"title": "Tugtainer has RCE in Agent Command Execution Api"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69201",
"datePublished": "2025-12-29T15:51:41.461Z",
"dateReserved": "2025-12-29T14:47:58.453Z",
"dateUpdated": "2025-12-29T16:50:49.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}