What is CVE-2026-39386?

CVE-2026-39386 is a high-severity vulnerability in M1k1o Neko, classified under Improper Input Validation. CVSS score: 8.8/10. Published 2026-04-21.

How severe is CVE-2026-39386?

High severity. CVSS v3 base score is 8.8 out of 10.

Auth bypass in M1k1o Neko

CVE-2026-39386

Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (me…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.001 (16.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

M1k1o Neko — versions >= 3.0.0, < 3.0.11, >= 3.1.0, < 3.1.2

Weakness classification (CWE)

References

https://github.com/m1k1o/neko/security/advisories/GHSA-2gw9-c2r2-f5qf (x_refsource_CONFIRM)
https://github.com/m1k1o/neko/releases/tag/v3.0.11 (x_refsource_MISC)
https://github.com/m1k1o/neko/releases/tag/v3.1.2 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-39386?: CVE-2026-39386 is a high-severity vulnerability in M1k1o Neko, classified under Improper Input Validation. CVSS score: 8.8/10. Published 2026-04-21.
How severe is CVE-2026-39386?: High severity. CVSS v3 base score is 8.8 out of 10.