216.73.216.133

CVE-2026-58455

· Published 02/07/2026 18:16 · Author: The MITRE Corporation

Labels: CVE-2026-58455

Essential information

Published
02/07/2026 18:16
Modified
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.8 CRITICAL (v3.1) 9.2 CRITICAL (v4.0)
CISA KEV
No
CWE
CWE-78
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compose.php. Attackers can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action to achieve full host compromise, facilitated by the standard deployment mounting of the Docker socket.

NVD status

NVD
View on NVD