CVE-2026-27130

CRITICAL

Dokploy has Command Injection in its Service Operations

Title source: cna

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj

X_Refsource_Misc x_refsource_misc

https://github.com/Dokploy/dokploy/commit/960892fd8dcf12b7a73a00edaa1b7090fca860c7

View Writeup ZIP pw:eip

Scores

CVSS v3 9.9

EPSS 0.0033

EPSS Percentile 55.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

Dokploy/dokploy < 0.26.7

Published May 18, 2026

Tracked Since May 19, 2026