These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A critical path traversal vulnerability in Dokploy v0.26.5 and earlier allows authenticated users to write arbitrary files to the filesystem during application deployment. When exploited in conjunction with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file writes to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, dat [truncated]
Dokploy versions 0.26.6 and earlier contain a critical command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges. This vulnerability has a CVSS 3.1 score of 9.9 (Critical). The issue was published on May 2 [truncated]
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions 0.26.7 and earlier, the schedule router does not enforce organization or role-based access controls. This allows any authenticated user to create, update, run, or delete schedules belonging to other organizations if they know the scheduleId or serverId. Schedule types 'server' and 'dokploy-server' write and execute scripts on the h [truncated]
CVE-2026-45631 is a critical authentication bypass vulnerability in Dokploy, a self-hostable Platform as a Service (PaaS), affecting versions 0.27.0 through 0.29.2. The vulnerability stems from a hardcoded fallback value for the BETTER_AUTH_SECRET configuration parameter (set to 'better-auth-secret-123456789'), which allows unauthenticated attackers to forge valid email verification JWTs. Successful explo [truncated]
A critical OS command injection vulnerability in Dokploy, a self-hostable Platform-as-a-Service (PaaS) solution, allows authenticated admin or owner users to execute arbitrary system commands on remote servers. The vulnerability exists in the `application.updateTraefikConfig` tRPC endpoint in versions 0.28.8 and earlier, where unsanitized user input is interpolated into shell `echo` commands. This represe [truncated]
**Executive Summary:** Dokploy versions 0.28.8 and earlier contain a critical authenticated OS command injection vulnerability in the `/listen-deployment` WebSocket endpoint. Any organization member can execute arbitrary system commands on remote servers managed by Dokploy, resulting in full server compromise. This vulnerability carries a CVSS 3.1 score of 9.9 (Critical).
## Summary **CVE-2026-45628** is a **critical** (CVSS 9.6) command-injection vulnerability in Dokploy, a self-hosted Platform-as-a-Service (PaaS). Versions 0.29.2 and earlier construct shell commands using JavaScript template literals and execute them via `child_process.exec()` (which invokes `/bin/sh -c`). User-supplied inputs—specifically branch names, repository URLs, and Docker credentials—are interpo [truncated]
CVE-2026-43917 documents an authorization bypass in Dokploy, a self-hostable Platform-as-a-Service (PaaS) solution. In versions 0.19.0 and earlier, the `protectedProcedure` middleware authenticates users but fails to enforce organization-level scoping. This allows authenticated users to access or manipulate resources across organizational boundaries without explicit permission checks at the middleware lay [truncated]
A critical command injection vulnerability in Dokploy's Docker file upload functionality allows authenticated attackers to execute arbitrary OS commands on the host. The flaw exists in versions 0.29.1 and earlier, where the destinationPath parameter is unsafely interpolated into shell commands during docker cp operations. Attackers can inject shell metacharacters to escape the intended command context. Th [truncated]
A command injection vulnerability exists in Dokploy versions 0.29.0 and earlier. The deleteRegistry function in packages/server/src/services/registry.ts executes docker logout ${response.registryUrl} without shell escaping, while the docker login command in the same file correctly uses shEscape(). This inconsistency allows authenticated attackers with registry deletion privileges to inject arbitrary shell [truncated]
CVE-2026-27130 is a critical command injection flaw in Dokploy affecting versions 0.26.6 and below. User-controlled application names can pass through weak sanitization, bypass missing schema validation, and reach shell commands through direct interpolation. In practice, an authenticated attacker who controls appName during application creation may be able to trigger server-side command execution when ser [truncated]