Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
CVE-2026-45663: Dokploy 0.29.1 and earlier: Unauthorized Docker File Uploads
CVE-2026-45663
Summary
Dokploy's Docker file upload feature has a security flaw that could allow an attacker to execute unauthorized commands on the server. This is a concern for any Dokploy user, as it could lead to data theft or server compromise. To protect yourself, ensure you're running the latest version of Dokploy.
Original title
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user up...
Original description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.
nvd CVSS3.1
9.9
Vulnerability type
CWE-77
Command Injection
Published: 29 May 2026 · Updated: 31 May 2026 · First seen: 29 May 2026