CVE-2026-45630NVD

Vulnerability Summary

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.

Severity Level

CRITICAL(9.0)

Published Date

May 29, 2026

Last Modified

Jun 1, 2026

Exploitation Status

UNKNOWN

Root Weakness (CWE)

CWE-78: OS Command Injection ↗

The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.

EPSS Score (30-Day)

0.26%Probability

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredHigh

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityLow

External References

https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5
https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5