EUVD-2026-33348CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.
AnalysisAI
Command injection in Dokploy 0.29.1 and earlier allows authenticated users to execute arbitrary OS commands on the host by abusing the Docker file upload feature's unsanitized destinationPath parameter. The CVSS 9.9 score reflects scope change to the underlying host from a containerized context, and no public exploit identified at time of analysis though the GHSA advisory provides sufficient technical detail to reconstruct one.
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Enumerate all Dokploy deployments running 0.29.1 or earlier; restrict file upload feature access to a minimal set of trusted administrators; enable comprehensive audit logging on all file upload operations. Within 7 days: Review upload logs for suspicious destinationPath patterns; implement network segmentation separating Dokploy infrastructure from production workloads and credential stores. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today