Focus on portainer vulnerabilities and metrics.
Last updated: 29 Jun 2025, 22:25 UTC
This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with portainer. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.
For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.
Total portainer CVEs: 18
Earliest CVE date: 22 Jun 2018, 18:29 UTC
Latest CVE date: 02 Oct 2024, 05:15 UTC
Latest CVE reference: CVE-2024-33662
30-day Count (Rolling): 0
365-day Count (Rolling): 1
Calendar-based Variation
Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.
Month Variation (Calendar): 0%
Year Variation (Calendar): -50.0%
Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -50.0%
Average CVSS: 4.77
Max CVSS: 10.0
Critical CVEs (≥9): 2
| Range | Count |
|---|---|
| 0.0-3.9 | 6 |
| 4.0-6.9 | 8 |
| 7.0-8.9 | 2 |
| 9.0-10.0 | 2 |
These are the five CVEs with the highest CVSS scores for portainer, sorted by severity first and recency.
Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function.
Portainer before 2.20.0 allows redirects when the target is not index.yaml.
A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not.
In Portainer Agent before 2.11.1, an API server can continue running even if not associated with a Portainer instance in the past few days.
An unauthorized access vulnerabiitly exists in all versions of Portainer, which could let a malicious user obtain sensitive information. NOTE: Portainer has received no detail of this CVE report. There is also no response after multiple attempts of contacting the original source.
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
Portainer 1.24.1 and earlier is affected by incorrect access control that may lead to remote arbitrary code execution. The restriction checks for bind mounts are applied only on the client-side and not the server-side, which can lead to spawning a container with bind mount. Once such a container is spawned, it can be leveraged to break out of the container leading to complete Docker host machine takeover.
Portainer 1.24.1 and earlier is affected by an insecure permissions vulnerability that may lead to remote arbitrary code execution. A non-admin user is allowed to spawn new containers with critical capabilities such as SYS_MODULE, which can be used to take over the Docker host.
Portainer before 1.22.1 has XSS (issue 2 of 2).
Portainer before 1.22.1 has Incorrect Access Control (issue 4 of 4).
Portainer before 1.22.1 allows Directory Traversal.
Portainer before 1.22.1 has Incorrect Access Control (issue 1 of 4).
Portainer before 1.22.1 has Incorrect Access Control (issue 2 of 4).
Portainer before 1.22.1 has XSS (issue 1 of 2).
A vulnerability was found in Portainer before 1.20.0. Portainer stores LDAP credentials, corresponding to a master password, in cleartext and allows their retrieval via API calls.
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
A stored Cross-site scripting (XSS) vulnerability in Portainer through 1.19.1 allows remote authenticated users to inject arbitrary JavaScript and/or HTML via the Team Name field.
Portainer before 1.18.0 supports unauthenticated requests to the websocket endpoint with an unvalidated id query parameter for the /websocket/exec endpoint, which allows remote attackers to bypass intended access restrictions or conduct SSRF attacks.