Search criteria
43 vulnerabilities found for dokploy by dokploy
CVE-2026-45661 (GCVE-0-2026-45661)
Vulnerability from nvd – Published: 2026-05-29 16:07 – Updated: 2026-05-29 16:07
VLAI
Title
Dokploy: Remote Code Execution through Path Traversal
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments.
Severity
9.9 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.26.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy\u0027s remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "CWE-35: Path Traversal: \u0027.../...//\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:07:54.491Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-66v7-g3fh-47h3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-66v7-g3fh-47h3"
}
],
"source": {
"advisory": "GHSA-66v7-g3fh-47h3",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Remote Code Execution through Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45661",
"datePublished": "2026-05-29T16:07:54.491Z",
"dateReserved": "2026-05-12T21:59:25.665Z",
"dateUpdated": "2026-05-29T16:07:54.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45633 (GCVE-0-2026-45633)
Vulnerability from nvd – Published: 2026-05-29 16:10 – Updated: 2026-05-29 18:25
VLAI
Title
Dokploy: Command Injection in /docker-container-logs Endpoint
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45633",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T17:33:26.885212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:25:04.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.26.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:10:20.278Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p"
}
],
"source": {
"advisory": "GHSA-wmqj-wr9q-327p",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Command Injection in /docker-container-logs Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45633",
"datePublished": "2026-05-29T16:10:20.278Z",
"dateReserved": "2026-05-12T20:31:43.450Z",
"dateUpdated": "2026-05-29T18:25:04.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45632 (GCVE-0-2026-45632)
Vulnerability from nvd – Published: 2026-05-29 16:11 – Updated: 2026-05-29 16:11
VLAI
Title
Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server.
Severity
9.9 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.26.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:11:19.414Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-7wmr-57mg-h5q6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-7wmr-57mg-h5q6"
}
],
"source": {
"advisory": "GHSA-7wmr-57mg-h5q6",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45632",
"datePublished": "2026-05-29T16:11:19.414Z",
"dateReserved": "2026-05-12T20:31:43.450Z",
"dateUpdated": "2026-05-29T16:11:19.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45631 (GCVE-0-2026-45631)
Vulnerability from nvd – Published: 2026-05-29 16:13 – Updated: 2026-05-29 16:13
VLAI
Title
Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.
Severity
10 (Critical)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/pull/4374 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.29.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback (\"better-auth-secret-123456789\") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:13:59.525Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj"
},
{
"name": "https://github.com/Dokploy/dokploy/pull/4374",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/pull/4374"
}
],
"source": {
"advisory": "GHSA-w3gm-rc4p-9rhj",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45631",
"datePublished": "2026-05-29T16:13:59.525Z",
"dateReserved": "2026-05-12T20:31:43.450Z",
"dateUpdated": "2026-05-29T16:13:59.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45630 (GCVE-0-2026-45630)
Vulnerability from nvd – Published: 2026-05-29 16:15 – Updated: 2026-05-29 16:15
VLAI
Title
Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.
Severity
9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.28.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:15:36.086Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5"
}
],
"source": {
"advisory": "GHSA-p787-6gqg-cvp5",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45630",
"datePublished": "2026-05-29T16:15:36.086Z",
"dateReserved": "2026-05-12T20:31:43.450Z",
"dateUpdated": "2026-05-29T16:15:36.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45629 (GCVE-0-2026-45629)
Vulnerability from nvd – Published: 2026-05-29 16:40 – Updated: 2026-05-29 16:40
VLAI
Title
Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.28.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:40:59.537Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-r73h-qr3p-hf7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-r73h-qr3p-hf7f"
}
],
"source": {
"advisory": "GHSA-r73h-qr3p-hf7f",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45629",
"datePublished": "2026-05-29T16:40:59.537Z",
"dateReserved": "2026-05-12T20:31:43.449Z",
"dateUpdated": "2026-05-29T16:40:59.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45628 (GCVE-0-2026-45628)
Vulnerability from nvd – Published: 2026-05-29 16:33 – Updated: 2026-05-29 19:29
VLAI
Title
Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.
Severity
9.6 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:29:25.780039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:29:45.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.29.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:33:23.681Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-3frc-cfh9-ch2c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-3frc-cfh9-ch2c"
}
],
"source": {
"advisory": "GHSA-3frc-cfh9-ch2c",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45628",
"datePublished": "2026-05-29T16:33:23.681Z",
"dateReserved": "2026-05-12T20:31:43.449Z",
"dateUpdated": "2026-05-29T19:29:45.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43917 (GCVE-0-2026-43917)
Vulnerability from nvd – Published: 2026-05-29 16:40 – Updated: 2026-05-29 19:35
VLAI
Title
Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId validation
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43917",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:35:41.657741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:35:59.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource\u0027s org matches the session\u0027s activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:40:05.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-f8wj-5c4w-frhg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-f8wj-5c4w-frhg"
}
],
"source": {
"advisory": "GHSA-f8wj-5c4w-frhg",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-43917",
"datePublished": "2026-05-29T16:40:05.824Z",
"dateReserved": "2026-05-04T16:11:33.086Z",
"dateUpdated": "2026-05-29T19:35:59.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45663 (GCVE-0-2026-45663)
Vulnerability from nvd – Published: 2026-05-29 16:03 – Updated: 2026-05-29 20:40
VLAI
Title
Dokploy: Remote Code Execution via destinationPath in Container File Upload
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.
Severity
9.9 (Critical)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45663",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T20:40:44.805822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T20:40:48.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-9m66-74x3-5mwr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.29.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or \", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:03:22.999Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-9m66-74x3-5mwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-9m66-74x3-5mwr"
}
],
"source": {
"advisory": "GHSA-9m66-74x3-5mwr",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Remote Code Execution via destinationPath in Container File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45663",
"datePublished": "2026-05-29T16:03:22.999Z",
"dateReserved": "2026-05-12T21:59:25.665Z",
"dateUpdated": "2026-05-29T20:40:48.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45662 (GCVE-0-2026-45662)
Vulnerability from nvd – Published: 2026-05-29 16:04 – Updated: 2026-05-29 16:04
VLAI
Title
Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.29.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:04:51.019Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-827c-7x62-29jq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-827c-7x62-29jq"
}
],
"source": {
"advisory": "GHSA-827c-7x62-29jq",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45662",
"datePublished": "2026-05-29T16:04:51.019Z",
"dateReserved": "2026-05-12T21:59:25.665Z",
"dateUpdated": "2026-05-29T16:04:51.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27130 (GCVE-0-2026-27130)
Vulnerability from nvd – Published: 2026-05-18 20:58 – Updated: 2026-05-19 16:26
VLAI
Title
Dokploy has Command Injection in its Service Operations
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/commit/960892f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27130",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T16:25:46.144447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T16:26:17.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c 0.26.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, \u0026) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T20:58:42.885Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj"
},
{
"name": "https://github.com/Dokploy/dokploy/commit/960892fd8dcf12b7a73a00edaa1b7090fca860c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/commit/960892fd8dcf12b7a73a00edaa1b7090fca860c7"
}
],
"source": {
"advisory": "GHSA-fcgq-jjfg-hrhj",
"discovery": "UNKNOWN"
},
"title": "Dokploy has Command Injection in its Service Operations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27130",
"datePublished": "2026-05-18T20:58:42.885Z",
"dateReserved": "2026-02-17T18:42:27.044Z",
"dateUpdated": "2026-05-19T16:26:17.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24841 (GCVE-0-2026-24841)
Vulnerability from nvd – Published: 2026-01-28 00:18 – Updated: 2026-01-28 14:59
VLAI
Title
Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/commit/74e0bd5… | x_refsource_MISC |
| https://github.com/Dokploy/dokploy/blob/canary/ap… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24841",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:58:12.909662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:59:11.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c 0.26.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy\u0027s WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T00:18:23.724Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r"
},
{
"name": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f"
},
{
"name": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts"
}
],
"source": {
"advisory": "GHSA-vx6x-6559-x35r",
"discovery": "UNKNOWN"
},
"title": "Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24841",
"datePublished": "2026-01-28T00:18:23.724Z",
"dateReserved": "2026-01-27T14:51:03.059Z",
"dateUpdated": "2026-01-28T14:59:11.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24840 (GCVE-0-2026-24840)
Vulnerability from nvd – Published: 2026-01-28 00:15 – Updated: 2026-01-28 15:01
VLAI
Title
Dokploy uses hardcoded credentials in installation script, which could result in database access
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue.
Severity
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/commit/b902c16… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24840",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:00:24.223741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:01:06.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c 0.26.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T00:15:57.299Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc"
},
{
"name": "https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d"
}
],
"source": {
"advisory": "GHSA-jr65-3j3w-gjmc",
"discovery": "UNKNOWN"
},
"title": "Dokploy uses hardcoded credentials in installation script, which could result in database access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24840",
"datePublished": "2026-01-28T00:15:57.299Z",
"dateReserved": "2026-01-27T14:51:03.059Z",
"dateUpdated": "2026-01-28T15:01:06.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45629 (GCVE-0-2026-45629)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:40 – Updated: 2026-05-29 16:40
VLAI
Title
Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.28.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:40:59.537Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-r73h-qr3p-hf7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-r73h-qr3p-hf7f"
}
],
"source": {
"advisory": "GHSA-r73h-qr3p-hf7f",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45629",
"datePublished": "2026-05-29T16:40:59.537Z",
"dateReserved": "2026-05-12T20:31:43.449Z",
"dateUpdated": "2026-05-29T16:40:59.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43917 (GCVE-0-2026-43917)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:40 – Updated: 2026-05-29 19:35
VLAI
Title
Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId validation
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts.
Severity
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43917",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:35:41.657741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:35:59.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.19.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource\u0027s org matches the session\u0027s activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:40:05.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-f8wj-5c4w-frhg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-f8wj-5c4w-frhg"
}
],
"source": {
"advisory": "GHSA-f8wj-5c4w-frhg",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-43917",
"datePublished": "2026-05-29T16:40:05.824Z",
"dateReserved": "2026-05-04T16:11:33.086Z",
"dateUpdated": "2026-05-29T19:35:59.595Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45628 (GCVE-0-2026-45628)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:33 – Updated: 2026-05-29 19:29
VLAI
Title
Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.
Severity
9.6 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:29:25.780039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:29:45.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.29.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:33:23.681Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-3frc-cfh9-ch2c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-3frc-cfh9-ch2c"
}
],
"source": {
"advisory": "GHSA-3frc-cfh9-ch2c",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45628",
"datePublished": "2026-05-29T16:33:23.681Z",
"dateReserved": "2026-05-12T20:31:43.449Z",
"dateUpdated": "2026-05-29T19:29:45.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45630 (GCVE-0-2026-45630)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:15 – Updated: 2026-05-29 16:15
VLAI
Title
Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.
Severity
9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.28.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:15:36.086Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5"
}
],
"source": {
"advisory": "GHSA-p787-6gqg-cvp5",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45630",
"datePublished": "2026-05-29T16:15:36.086Z",
"dateReserved": "2026-05-12T20:31:43.450Z",
"dateUpdated": "2026-05-29T16:15:36.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45631 (GCVE-0-2026-45631)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:13 – Updated: 2026-05-29 16:13
VLAI
Title
Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.
Severity
10 (Critical)
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/pull/4374 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.27.0, \u003c 0.29.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback (\"better-auth-secret-123456789\") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:13:59.525Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj"
},
{
"name": "https://github.com/Dokploy/dokploy/pull/4374",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/pull/4374"
}
],
"source": {
"advisory": "GHSA-w3gm-rc4p-9rhj",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45631",
"datePublished": "2026-05-29T16:13:59.525Z",
"dateReserved": "2026-05-12T20:31:43.450Z",
"dateUpdated": "2026-05-29T16:13:59.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45632 (GCVE-0-2026-45632)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:11 – Updated: 2026-05-29 16:11
VLAI
Title
Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server.
Severity
9.9 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.26.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:11:19.414Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-7wmr-57mg-h5q6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-7wmr-57mg-h5q6"
}
],
"source": {
"advisory": "GHSA-7wmr-57mg-h5q6",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45632",
"datePublished": "2026-05-29T16:11:19.414Z",
"dateReserved": "2026-05-12T20:31:43.450Z",
"dateUpdated": "2026-05-29T16:11:19.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45633 (GCVE-0-2026-45633)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:10 – Updated: 2026-05-29 18:25
VLAI
Title
Dokploy: Command Injection in /docker-container-logs Endpoint
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45633",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T17:33:26.885212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:25:04.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.26.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:10:20.278Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p"
}
],
"source": {
"advisory": "GHSA-wmqj-wr9q-327p",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Command Injection in /docker-container-logs Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45633",
"datePublished": "2026-05-29T16:10:20.278Z",
"dateReserved": "2026-05-12T20:31:43.450Z",
"dateUpdated": "2026-05-29T18:25:04.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45661 (GCVE-0-2026-45661)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:07 – Updated: 2026-05-29 16:07
VLAI
Title
Dokploy: Remote Code Execution through Path Traversal
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments.
Severity
9.9 (Critical)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.26.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy\u0027s remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-35",
"description": "CWE-35: Path Traversal: \u0027.../...//\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:07:54.491Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-66v7-g3fh-47h3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-66v7-g3fh-47h3"
}
],
"source": {
"advisory": "GHSA-66v7-g3fh-47h3",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Remote Code Execution through Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45661",
"datePublished": "2026-05-29T16:07:54.491Z",
"dateReserved": "2026-05-12T21:59:25.665Z",
"dateUpdated": "2026-05-29T16:07:54.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45662 (GCVE-0-2026-45662)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:04 – Updated: 2026-05-29 16:04
VLAI
Title
Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl.
Severity
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.29.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:04:51.019Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-827c-7x62-29jq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-827c-7x62-29jq"
}
],
"source": {
"advisory": "GHSA-827c-7x62-29jq",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45662",
"datePublished": "2026-05-29T16:04:51.019Z",
"dateReserved": "2026-05-12T21:59:25.665Z",
"dateUpdated": "2026-05-29T16:04:51.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45663 (GCVE-0-2026-45663)
Vulnerability from cvelistv5 – Published: 2026-05-29 16:03 – Updated: 2026-05-29 20:40
VLAI
Title
Dokploy: Remote Code Execution via destinationPath in Container File Upload
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.
Severity
9.9 (Critical)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45663",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T20:40:44.805822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T20:40:48.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-9m66-74x3-5mwr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.29.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or \", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T16:03:22.999Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-9m66-74x3-5mwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-9m66-74x3-5mwr"
}
],
"source": {
"advisory": "GHSA-9m66-74x3-5mwr",
"discovery": "UNKNOWN"
},
"title": "Dokploy: Remote Code Execution via destinationPath in Container File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45663",
"datePublished": "2026-05-29T16:03:22.999Z",
"dateReserved": "2026-05-12T21:59:25.665Z",
"dateUpdated": "2026-05-29T20:40:48.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27130 (GCVE-0-2026-27130)
Vulnerability from cvelistv5 – Published: 2026-05-18 20:58 – Updated: 2026-05-19 16:26
VLAI
Title
Dokploy has Command Injection in its Service Operations
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/commit/960892f… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27130",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T16:25:46.144447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T16:26:17.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c 0.26.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, \u0026) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T20:58:42.885Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj"
},
{
"name": "https://github.com/Dokploy/dokploy/commit/960892fd8dcf12b7a73a00edaa1b7090fca860c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/commit/960892fd8dcf12b7a73a00edaa1b7090fca860c7"
}
],
"source": {
"advisory": "GHSA-fcgq-jjfg-hrhj",
"discovery": "UNKNOWN"
},
"title": "Dokploy has Command Injection in its Service Operations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27130",
"datePublished": "2026-05-18T20:58:42.885Z",
"dateReserved": "2026-02-17T18:42:27.044Z",
"dateUpdated": "2026-05-19T16:26:17.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24841 (GCVE-0-2026-24841)
Vulnerability from cvelistv5 – Published: 2026-01-28 00:18 – Updated: 2026-01-28 14:59
VLAI
Title
Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
Severity
9.9 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/commit/74e0bd5… | x_refsource_MISC |
| https://github.com/Dokploy/dokploy/blob/canary/ap… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24841",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:58:12.909662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:59:11.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c 0.26.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy\u0027s WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T00:18:23.724Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r"
},
{
"name": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f"
},
{
"name": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts"
}
],
"source": {
"advisory": "GHSA-vx6x-6559-x35r",
"discovery": "UNKNOWN"
},
"title": "Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24841",
"datePublished": "2026-01-28T00:18:23.724Z",
"dateReserved": "2026-01-27T14:51:03.059Z",
"dateUpdated": "2026-01-28T14:59:11.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24840 (GCVE-0-2026-24840)
Vulnerability from cvelistv5 – Published: 2026-01-28 00:15 – Updated: 2026-01-28 15:01
VLAI
Title
Dokploy uses hardcoded credentials in installation script, which could result in database access
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue.
Severity
CWE
- CWE-798 - Use of Hard-coded Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/commit/b902c16… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24840",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:00:24.223741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:01:06.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c 0.26.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T00:15:57.299Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc"
},
{
"name": "https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d"
}
],
"source": {
"advisory": "GHSA-jr65-3j3w-gjmc",
"discovery": "UNKNOWN"
},
"title": "Dokploy uses hardcoded credentials in installation script, which could result in database access"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24840",
"datePublished": "2026-01-28T00:15:57.299Z",
"dateReserved": "2026-01-27T14:51:03.059Z",
"dateUpdated": "2026-01-28T15:01:06.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24839 (GCVE-0-2026-24839)
Vulnerability from cvelistv5 – Published: 2026-01-28 00:01 – Updated: 2026-01-28 15:02
VLAI
Title
Dokploy has a clickjacking vulnerability - Missing X-Frame-Options and CSP frame-ancestors headers
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue.
Severity
4.7 (Medium)
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Dokploy/dokploy/security/advis… | x_refsource_CONFIRM |
| https://github.com/Dokploy/dokploy/pull/3500 | x_refsource_MISC |
| https://github.com/Dokploy/dokploy/commit/9714695… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24839",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:01:38.667953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:02:29.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokploy",
"vendor": "Dokploy",
"versions": [
{
"status": "affected",
"version": "\u003c 0.26.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T00:01:49.253Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q"
},
{
"name": "https://github.com/Dokploy/dokploy/pull/3500",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/pull/3500"
},
{
"name": "https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8"
}
],
"source": {
"advisory": "GHSA-c94j-8wgf-2q9q",
"discovery": "UNKNOWN"
},
"title": "Dokploy has a clickjacking vulnerability - Missing X-Frame-Options and CSP frame-ancestors headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24839",
"datePublished": "2026-01-28T00:01:49.253Z",
"dateReserved": "2026-01-27T14:51:03.059Z",
"dateUpdated": "2026-01-28T15:02:29.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
FKIE_CVE-2026-24839
Vulnerability from fkie_nvd - Published: 2026-01-28 01:16 - Updated: 2026-02-04 17:58
Severity
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D811B470-39CF-4FCD-A0A6-77EBBE229498",
"versionEndExcluding": "0.26.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue."
},
{
"lang": "es",
"value": "Dokploy es una Plataforma como Servicio (PaaS) gratuita y autoalojable. En versiones anteriores a la 0.26.6, la interfaz web de Dokploy es vulnerable a ataques de clickjacking debido a la ausencia de encabezados anti-frame. Esto permite a los atacantes incrustar p\u00e1ginas de Dokploy en iframes maliciosos y enga\u00f1ar a los usuarios autenticados para que realicen acciones no deseadas. La versi\u00f3n 0.26.6 corrige el problema."
}
],
"id": "CVE-2026-24839",
"lastModified": "2026-02-04T17:58:11.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-01-28T01:16:14.490",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/Dokploy/dokploy/pull/3500"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1021"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2026-24841
Vulnerability from fkie_nvd - Published: 2026-01-28 01:16 - Updated: 2026-02-04 17:37
Severity
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D811B470-39CF-4FCD-A0A6-77EBBE229498",
"versionEndExcluding": "0.26.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy\u0027s WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue."
},
{
"lang": "es",
"value": "Dokploy es una Plataforma como Servicio (PaaS) gratuita y autoalojable. En versiones anteriores a la 0.26.6, existe una vulnerabilidad cr\u00edtica de inyecci\u00f3n de comandos en el endpoint WebSocket de Dokploy `/docker-container-terminal`. Los par\u00e1metros `containerId` y `activeWay` se interpolan directamente en comandos de shell sin sanitizaci\u00f3n, permitiendo a atacantes autenticados ejecutar comandos arbitrarios en el servidor anfitri\u00f3n. La versi\u00f3n 0.26.6 soluciona el problema."
}
],
"id": "CVE-2026-24841",
"lastModified": "2026-02-04T17:37:04.663",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-01-28T01:16:14.797",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory",
"Mitigation"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2026-24840
Vulnerability from fkie_nvd - Published: 2026-01-28 01:16 - Updated: 2026-02-04 17:55
Severity
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D811B470-39CF-4FCD-A0A6-77EBBE229498",
"versionEndExcluding": "0.26.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue."
},
{
"lang": "es",
"value": "Dokploy es una Plataforma como Servicio (PaaS) gratuita y autoalojable. En versiones anteriores a la 0.26.6, una credencial codificada en el script de instalaci\u00f3n proporcionado (ubicado en HTTPS://dokploy.com/install.sh, l\u00ednea 154) utiliza una contrase\u00f1a codificada al crear el contenedor de la base de datos. Esto significa que casi todas las instalaciones de Dokploy utilizan las mismas credenciales de la base de datos y podr\u00edan verse comprometidas. La versi\u00f3n 0.26.6 contiene un parche para el problema."
}
],
"id": "CVE-2026-24840",
"lastModified": "2026-02-04T17:55:14.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-01-28T01:16:14.647",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}