CVE-2026-45633 | Dokploy is a free, self-hostable Platform as a Service (PaaS… | CVSS 9.9 CRITICAL

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.

Metadata

CVE ID: CVE-2026-45633
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-12 20:31 UTC
Published: 2026-05-29 16:10 UTC
Last updated: 2026-05-29 18:25 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: Dokploy / dokploy
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Dokploy	dokploy	—	<= 0.26.6

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p