All CosmicBytez Labs articles tagged #Docker, across news, security advisories, how-to guides, and projects.
A critical CVSS 9.1 vulnerability in Crawl4AI before 0.8.7 allows attackers to write arbitrary files anywhere on the host filesystem via the Docker API's /screenshot and /pdf endpoints — patch immediately.
A server-side request forgery vulnerability in Gotenberg's LibreOffice conversion endpoint allows crafted documents to silently probe internal network...
Attackers are actively exploiting a critical authentication bypass in the official Gitea Docker image, allowing unauthenticated users to impersonate any...
Deploy a self-hosted phishing simulation platform using Gophish in Docker. Build real-world phishing campaigns, track user engagement, and run security...
All official Gitea Docker images through v1.26.2 ship with a wildcard trusted proxy setting that lets any unauthenticated attacker impersonate any user...
Aggregate, deduplicate, and track security findings from 100+ scanners in a unified dashboard. Build a production-grade vulnerability management pipeline...
Deploy OpenCTI to aggregate, correlate, and visualize threat intelligence from MISP, NVD, AlienVault OTX, and Shodan — all in a self-hosted Docker stack.
Deploy Shuffle, the open-source SOAR platform, to automate security workflows and orchestrate your homelab tools — from Wazuh alerts to enrichment lookups...
A practical, step-by-step guide to hardening Docker deployments — from non-root users and read-only filesystems to capability drops, resource limits, and...
A CVSS 9.8 OS command injection vulnerability in openlabs docker-wkhtmltopdf-aas allows unauthenticated remote code execution via a crafted POST request to…
Deploy a full Wazuh stack in Docker to gain host-based intrusion detection, file integrity monitoring, vulnerability scanning, and active response across your…
DockSec, an OWASP incubator project, combines multiple container security scanners with AI-generated plain-English remediation guidance and exact Dockerfile.
Deploy Falco on a Docker host to monitor container syscalls at the kernel level, write custom homelab detection rules, and route real-time alerts through.
Deploy Pi-hole v6 as a network-wide DNS sinkhole backed by Unbound as a self-hosted recursive resolver — eliminating ads, trackers, and malware domains...
Deploy a full observability stack — Prometheus metrics collection, Grafana dashboards, AlertManager notifications, and three exporters — all containerized...
Deploy Traefik v3 as a Docker-native reverse proxy with automatic Let's Encrypt TLS, label-based routing, and security middleware — no more port juggling...
Deploy Greenbone Community Edition to run authenticated vulnerability scans, configure scan targets, and generate actionable remediation reports for your...
Threat actors hijacked the official checkmarx/kics Docker Hub repository by overwriting existing image tags — including v2.1.20 and alpine variants — and...
Deploy a fully self-hosted, Bitwarden-compatible password manager using Vaultwarden on Docker with Caddy reverse proxy, automatic TLS, WebSocket...
Learn how to use Trivy to scan container images, Dockerfiles, Kubernetes manifests, and Terraform for vulnerabilities and misconfigurations — then...
Deploy Keycloak with Docker Compose and PostgreSQL to build a centralised single sign-on platform for your homelab services, with OIDC integration for...
The Trivy supply chain attack has expanded dramatically beyond GitHub Actions: malicious Docker Hub images (versions 0.69.4–0.69.6) carry an infostealer,...
Deploy a production-grade Docker infrastructure with Traefik reverse proxy, Authentik single sign-on, automated TLS certificates, and multi-network...
Deploy Microsoft Dynamics 365 Business Central in Docker containers for development, testing, and demonstration. Covers container setup, management, and...
Deploy Docker Engine natively on Windows without Docker Desktop. Covers installation, Windows container mode, lifecycle management, and troubleshooting.
Deploy a complete self-hosted media automation system with Plex, Sonarr, Radarr, Prowlarr, and more. Includes Traefik reverse proxy, Authentik SSO, and...
Build a production-grade K3s cluster on Proxmox/bare metal with Longhorn storage, Traefik ingress, cert-manager, and ArgoCD for GitOps.
Learn essential Docker security practices including image scanning, runtime protection, network isolation, and secrets management for production environments.
Deploy your own password manager with Vaultwarden (Bitwarden-compatible). Includes secure configuration, SSL setup, and backup procedures.