EUVD-2026-33362Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
1DescriptionGitHub Advisory
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.
AnalysisAI
Authenticated OS command injection in Dokploy 0.28.8 and earlier lets any organization member execute arbitrary system commands on remote servers managed by the PaaS via the /listen-deployment WebSocket endpoint, resulting in full server compromise. With a CVSS 9.9 (scope changed) and low-privilege precondition, the flaw effectively turns any low-tier org account into a foothold on every connected host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold valid credentials for any role within a Dokploy organization on a vulnerable instance (0.28.8 or earlier) and must be able to reach the /listen-deployment WebSocket endpoint over the network; no user interaction or admin role is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistently severe: CVSS 9.9 with AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L describes a network-reachable, low-complexity, low-privilege, no-user-interaction bug whose impact crosses a security boundary from the Dokploy app to managed servers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains or is granted the lowest organization-member role in a target Dokploy instance (via invitation, compromised teammate account, or insider access), then opens an authenticated WebSocket to /listen-deployment and submits a crafted message containing shell metacharacters in a deployment-related parameter. Dokploy executes the injected command on a managed remote server under its privileged service account, yielding arbitrary command execution and full compromise of that host, after which the attacker pivots across every server the Dokploy instance controls. |
| Remediation | No vendor-released patch version is identified in the supplied data; consult the Dokploy advisory at https://github.com/Dokploy/dokploy/security/advisories/GHSA-r73h-qr3p-hf7f for the fixed release and upgrade once it is published past 0.28.8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all Dokploy instances to identify systems running versions 0.28.8 or earlier; implement network-level access controls restricting /listen-deployment WebSocket endpoint access to known internal sources only; rotate all service account credentials accessible through Dokploy. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today