Arcane versions before 1.19.0 contain a reflected XSS vulnerability in the unauthenticated GET /api/app-images/logo endpoint. The endpoint reflects a user-supplied 'color' query parameter into an SVG document's <style> element using strings.ReplaceAll without escaping, enabling an attacker to break out of the style block and inject malicious <script> content. Because the response is served as image/svg+xml and lacks Content-Security-Policy and X-Content-Type-Options headers, the injected script executes in the admin user's browser context if they visit a crafted URL. This leads to full compromise of the admin account by hijacking the HttpOnly JWT cookie. The vulnerability is addressed in Arcane 1.19.0.

Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of a logged-in admin user, leading to full admin account compromise. This includes theft of authentication tokens and potential unauthorized administrative actions within the Arcane application. The vulnerability does not affect availability but has high confidentiality and integrity impact.

This vulnerability is fixed in Arcane version 1.19.0. Users should upgrade to version 1.19.0 or later to remediate the issue. Since no official patch link or vendor advisory is provided, confirm upgrade availability from the vendor's official channels. Until upgraded, avoid navigating admin users to untrusted URLs that include crafted 'color' parameters in the affected endpoint.