VYPR
Critical severity9.6NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45628

CVE-2026-45628

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Dokploy/Dokployinferred2 versions
    <=0.29.2+ 1 more
    • (no CPE)range: <=0.29.2
    • (no CPE)range: <=0.29.2

Patches

Vulnerability mechanics

References

1

News mentions

1