CVE-2026-45629NVD

Vulnerability Summary

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.

Severity Level

CRITICAL(9.9)

Published Date

May 29, 2026

Last Modified

Jun 2, 2026

Exploitation Status

UNKNOWN

Root Weakness (CWE)

CWE-78: OS Command Injection ↗

The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.

EPSS Score (30-Day)

0.24%Probability

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityLow

External References

https://github.com/Dokploy/dokploy/security/advisories/GHSA-r73h-qr3p-hf7f
https://github.com/Dokploy/dokploy/security/advisories/GHSA-r73h-qr3p-hf7f