PatchSiren cyber security CVE debrief

CVE-2026-45628 Dokploy CVE debrief

## Summary **CVE-2026-45628** is a **critical** (CVSS 9.6) command-injection vulnerability in Dokploy, a self-hosted Platform-as-a-Service (PaaS). Versions 0.29.2 and earlier construct shell commands using JavaScript template literals and execute them via `child_process.exec()` (which invokes `/bin/sh -c`). User-supplied inputs—specifically branch names, repository URLs, and Docker credentials—are interpolated directly into these commands without proper escaping. Exploitation requires an authenticated user with application create or edit privileges. ## Technical Details - **Root Cause:** Unsafe construction of shell commands through JavaScript template literals without input sanitization or escaping. - **Attack Vector:** Network-based; low attack complexity. - **Privileges Required:** Low (authenticated user with app create/edit permissions). - **Scope:** Changed (the vulnerable component impacts resources beyond its security scope). - **Impact:** High confidentiality and integrity impact; no availability impact per CVSS vector. - **Weaknesses:** CWE-20 (Improper Input Validation) and CWE-77 (Command Injection). ## Affected Versions - Dokploy 0.29.2 and earlier ## Timeline - **Published:** 2026-05-29 18:17:10 UTC - **Modified:** 2026-05-29 20:25:00 UTC ## Recommended Actions 1. **Upgrade immediately** to a patched version of Dokploy if available; monitor the GitHub Security Advisory for fix releases. 2. **Restrict application create/edit privileges** to only highly trusted administrators until patching is complete. 3. **Audit existing applications** for suspicious branch names, repository URLs, or Docker credentials that may indicate prior exploitation attempts. 4. **Implement input validation** at the application layer as a defense-in-depth measure if source code modifications are feasible. 5. **Monitor system logs** for unusual shell command execution patterns originating from the Dokploy process.