What is the CVSS score of EUVD-2026-33349?

EUVD-2026-33349 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Dokploy are affected by EUVD-2026-33349?

Dokploy versions 0.29.0 and earlier contain a command injection vulnerability in the registry deletion function that allows authenticated users to execute arbitrary operating system commands on…

Dokploy EUVD-2026-33349

| CVE-2026-45662 HIGH

OS Command Injection (CWE-78)

2026-05-29 security-advisories@github.com

Docker Command Injection

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 29, 2026 - 16:50 vuln.today

CVE Published

May 29, 2026 - 16:16 nvd

HIGH 8.8

DescriptionNVD

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl.

AnalysisAI

Command injection in Dokploy 0.29.0 and earlier allows authenticated users to execute arbitrary OS commands on the host by deleting a Docker registry whose registryUrl contains shell metacharacters. The deleteRegistry function in packages/server/src/services/registry.ts passes registryUrl unescaped into docker logout, while the adjacent docker login call correctly uses shEscape() - making this a clear regression. …

RemediationAI

Within 24 hours: Audit all Dokploy deployments to identify affected versions (0.29.0 and earlier); restrict registry management permissions to administrators only. Within 7 days: Implement host-level command execution logging for all Dokploy instances; disable the deleteRegistry function if not operationally critical. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-33349 vulnerability details – vuln.today

Back

Dokploy EUVD-2026-33349

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code