CVE-2026-45633
CRITICALDokploy: Command Injection in /docker-container-logs Endpoint
Title source: cnaDescription
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p
Scores
CVSS v3
9.9
EPSS
0.0099
EPSS Percentile
57.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-78
Status
published
Products (1)
Dokploy/dokploy
<= 0.26.6
Published
May 29, 2026
Tracked Since
May 29, 2026