Vulnerability Report: GO-2026-4320
- CVE-2026-23520, GHSA-gjqq-6r35-w3r8
- Affects: github.com/getarcaneapp/arcane/backend
- Published: Jan 23, 2026
Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE in github.com/getarcaneapp/arcane/backend
For detailed information about this vulnerability, visit https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8 or https://nvd.nist.gov/vuln/detail/CVE-2026-23520.
Affected Packages
-
PathVersionsSymbols
Aliases
References
- https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8
- https://nvd.nist.gov/vuln/detail/CVE-2026-23520
- https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4
- https://github.com/getarcaneapp/arcane/pull/1468
- https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0
- https://vuln.go.dev/ID/GO-2026-4320.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.