CVE-2026-24841

CRITICAL

Dokploy < 0.26.6 - OS Command Injection

Title source: rule

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-24841

View Code ZIP pw:eip

nomisec WORKING POC

by otakuliu · poc

https://github.com/otakuliu/CVE-2026-24841_Range

View Code ZIP pw:eip

References (3)

[Exploit, Vendor Advisory, Mitigation] https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r

[Patch] https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f

[Product] https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts

Scores

CVSS v3 9.9

EPSS 0.0011

EPSS Percentile 29.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

dokploy/dokploy < 0.26.6

Published Jan 28, 2026

Tracked Since Feb 18, 2026