CVE-2026-45628NVD

Vulnerability Summary

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.

Severity Level

CRITICAL(9.6)

Published Date

May 29, 2026

Last Modified

May 29, 2026

Exploitation Status

UNKNOWN

Root Weakness (CWE)

CWE-20: Improper Input Validation ↗

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required.

EPSS Score (30-Day)

0.05%Probability

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityNone

External References

https://github.com/Dokploy/dokploy/security/advisories/GHSA-3frc-cfh9-ch2c