CVE-2026-23846

HIGH

Tugtainer <1.16.1 - Info Disclosure

Title source: llm

Description

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.

References (2)

[Exploit, Vendor Advisory] https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p

[Patch] https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52

Scores

CVSS v3 8.1

EPSS 0.0012

EPSS Percentile 30.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-598

Status published

Products (1)

quenary/tugtainer < 1.16.1

Published Jan 19, 2026

Tracked Since Feb 18, 2026