CVE-2026-24841

Critical CVSS: 9.9

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.

Vendor

Dokploy

Product

Dokploy

CWE

CWE-78

Yayın Tarihi

2026-01-28 01:16:14

Güncelleme

2026-02-04 17:37:04

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-78 Dokploy CRITICAL Dokploy 2026

Referanslar

https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r

Benzer Kayıtlar

Medium

CVE-2026-24839

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is…

High

CVE-2026-24840

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in th…

Critical

CVE-2025-53825

Dokploy is a free, self-hostable Platform as a Service (PaaS). Prior to version 0.24.3, an unauthenticated preview deplo…

Low

CVE-2025-53374

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications an…

Medium

CVE-2025-53375

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications an…

Medium

CVE-2025-53376

Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications an…