What is the CVSS score of EUVD-2026-30809?

EUVD-2026-30809 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Dokploy are affected by EUVD-2026-30809?

Dokploy self-hosted PaaS (versions ≤0.26.6) contains a critical remote code execution vulnerability (CVSS 9.9) allowing any low-privileged platform user to execute arbitrary commands at server level.. A patch is available.

Dokploy EUVD-2026-30809

Q: How to fix or mitigate EUVD-2026-30809?

Within 24 hours: Inventory all Dokploy deployments running versions 0.26.6 or earlier; audit platform user accounts and review logs for recent application or database creation activity. Within 7 days: Isolate affected Dokploy instances from production networks or disable entirely; restrict platform access to trusted administrators only and revoke all low-privilege user accounts. Within 30 days: Upon vendor release of patched version >0.26.6, plan and execute immediate upgrade after validation testing in non-production environment.

| CVE-2026-27130 CRITICAL

OS Command Injection (CWE-78)

2026-05-18 security-advisories@github.com

Command Injection

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 18, 2026 - 22:16 EUVD

Source Code Evidence Fetched

May 18, 2026 - 21:30 vuln.today

Analysis Generated

May 18, 2026 - 21:30 vuln.today

DescriptionNVD

Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.

AnalysisAI

OS command injection in Dokploy self-hosted PaaS (versions <= 0.26.6) allows an authenticated low-privileged user to achieve server-level remote code execution by injecting shell metacharacters into the appName parameter when creating an application or database. The cleanAppName sanitizer only lowercases and strips spaces, leaving characters like ;, $(), backticks, |, and & to be passed directly into execAsync()/execAsyncRemote() shell interpolation when service lifecycle operations run. …

RemediationAI

Within 24 hours: Inventory all Dokploy deployments running versions 0.26.6 or earlier; audit platform user accounts and review logs for recent application or database creation activity. Within 7 days: Isolate affected Dokploy instances from production networks or disable entirely; restrict platform access to trusted administrators only and revoke all low-privilege user accounts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30809 vulnerability details – vuln.today

Back

Dokploy EUVD-2026-30809

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code