cvedb.io
CVE-2026-39386
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-04-21T01:16:06.217 · Last modified 2026-06-17T10:42:01.860

Summary

Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the following mitigations can reduce risk: Restrict access to trusted users only (avoid granting accounts to untrusted parties); ensure all user passwords are strong and only shared with trusted individuals; run the instance only when needed; avoid leaving it continuously exposed; place the instance behind authentication laye

Affected products

m1k1o — neko

Does this affect you?

Add your gear to cvedb and we'll alert you only when m1k1o ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.