Critical severity9.6NVD Advisory· Published May 29, 2026· Updated May 29, 2026
CVE-2026-45628
CVE-2026-45628
Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1News mentions
1- Dokploy: 10 Critical Flaws Disclosed — Path Traversal, RCE, and Hardcoded SecretVypr Intelligence · May 29, 2026