This page aggregates publicly disclosed CVE and security risk information related to acme.sh_project, with CVSS, EPSS, publication dates, and vulnerability intelligence data to help assess potential risk and remediation priority.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-32111 | The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout. | [email protected] | 8.7 | 0.36% | 2025-04-04 | 2026-06-17 |
| CVE-2023-38198 | acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023. | [email protected] | 9.8 | 0.93% | 2023-07-12 | 2026-06-17 |