Skip to main content

Dokku EUVDEUVD-2026-39803

| CVE-2026-45406 HIGH
Eval Injection (CWE-95)
2026-06-26 GitHub_M
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
CRITICAL
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Attacker must hold deploy rights so PR:L (not PR:N), delivery is over the network git/deploy path (AV:N), the eval path triggers reliably with no special timing (AC:L), and it yields full host command execution (C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 26, 2026 - 19:17 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 19:15 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 19:07 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 19:07 NVD
CRITICAL HIGH
CVSS changed
Jun 26, 2026 - 19:07 NVD
9.0 (CRITICAL) 8.8 (HIGH)
Patch available
Jun 26, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 26, 2026 - 17:24 vuln.today
Analysis Generated
Jun 26, 2026 - 17:24 vuln.today

DescriptionNVD

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app's next deploy. This vulnerability is fixed in 0.38.2.

AnalysisAI

OS command execution on the Dokku host is possible through the openresty-vhosts plugin in versions prior to 0.38.2, where custom OpenResty include filenames from an app's git repository are interpolated unescaped into a single-quoted shell string that is later run through eval. An attacker who can deploy a Dokku app with the openresty proxy enabled can plant a file whose name contains a single quote to break the quoting and inject a command substitution, executing arbitrary commands as the dokku user on the next deploy. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain deploy access to openresty-enabled app
Delivery
Commit include file with single-quote payload
Exploit
Push to trigger app deploy
Execution
Filename interpolated into eval shell string
Persist
Command substitution runs as dokku user
Impact
Host compromise and lateral movement

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the app to use Dokku's openresty proxy - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting full confidentiality/integrity/availability impact with low attacker privileges and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with deploy access to a Dokku app that uses the openresty proxy adds a file under openresty/http-includes/ whose name contains an embedded single quote plus a command-substitution payload, then triggers a deploy. On the next deploy the plugin interpolates the filename into a single-quoted shell string passed to eval, breaking the quoting and executing the attacker's commands as the dokku user on the host. …
Remediation Vendor-released patch: 0.38.2 - upgrade Dokku to 0.38.2 or later, which adds filename sanitization (only alphanumeric, underscore, dot, and hyphen characters allowed; files whose names contain quotes, spaces, $, backticks, parentheses, or semicolons are skipped, and unsafe filenames abort the deploy) per PR https://github.com/dokku/dokku/pull/8588 and advisory https://github.com/dokku/dokku/security/advisories/GHSA-ggqh-98fj-8mg9. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Dokku instances running openresty-vhosts versions prior to 0.38.2 and audit deployment access permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

EUVD-2026-39803 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy