Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.
AnalysisAI
Authenticated command injection in Dokploy 0.26.6 and earlier enables any logged-in user to run arbitrary OS commands as root via the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated into shell commands without validation, yielding a CVSS 9.9 (Scope:Changed) issue affecting this self-hosted PaaS. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Dokploy is an open-source, self-hostable Platform-as-a-Service that orchestrates Docker containers, comparable to Heroku/Vercel-style deployments. The flaw is a classic CWE-78 (OS Command Injection): user-controlled parameters (tail, since - typically numeric arguments forwarded to docker logs --tail=N --since=T) are interpolated directly into a shell string rather than passed as argv elements or sanitized against an allow-list. Because the Dokploy server process manages Docker on the host, the resulting command runs in the privilege context of the daemon, which per the advisory equates to root. Exposure surface is a WebSocket endpoint (/docker-container-logs), meaning exploitation rides on the same upgraded HTTP session used by the dashboard. The single CPE - cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:* - confirms all versions through 0.26.6 are in scope.
RemediationAI
Upgrade to the fixed Dokploy release identified in GHSA-wmqj-wr9q-327p (https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p); the input data does not include the exact fix version, so confirm the patched version directly from the advisory before deploying. Until upgraded, restrict network reachability of the Dokploy UI/API to trusted operators only (VPN, IP allow-list, or reverse-proxy auth in front of the dashboard) - this blocks the network attack vector but breaks remote team access. Additionally, audit and reduce the number of accounts that can authenticate to the Dokploy instance, since the vulnerability requires only a low-privilege session; revoke shared or stale credentials, with the trade-off of operational friction for legitimate collaborators. As a partial mitigation, block or proxy-filter WebSocket upgrade requests to /docker-container-logs at an upstream reverse proxy, accepting the side effect that the in-app container log viewer will stop working for all users.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33353