Dokploy
Monthly
Authenticated OS command injection in Dokploy 0.28.8 and earlier lets any organization member execute arbitrary system commands on remote servers managed by the PaaS via the /listen-deployment WebSocket endpoint, resulting in full server compromise. With a CVSS 9.9 (scope changed) and low-privilege precondition, the flaw effectively turns any low-tier org account into a foothold on every connected host. No public exploit identified at time of analysis, but the vendor security advisory (GHSA-r73h-qr3p-hf7f) confirms the issue.
Missing organization-level authorization in Dokploy 0.19.0 and earlier allows authenticated users from one organization to access, modify, and delete resources belonging to other organizations on the same instance. The shared `protectedProcedure` middleware confirms session authentication but never validates that the requested resource belongs to the caller's active organization, exposing 22 endpoints spanning deployments, backups, volume operations, cluster management, and mounts to cross-organization abuse. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.
Authenticated OS command injection in Dokploy 0.28.8 and earlier lets admin or owner users execute arbitrary shell commands on remote servers managed by the PaaS through the application.updateTraefikConfig tRPC endpoint. The flaw stems from unsanitized shell interpolation in an echo call, granting full command execution across any host the Dokploy controller manages. No public exploit identified at time of analysis, but the high-privilege admin context combined with cross-server reach makes this a meaningful post-compromise escalation path.
Remote code execution in Dokploy 0.27.0 through 0.29.2 allows unauthenticated attackers to forge email-verification JWTs using a hardcoded BETTER_AUTH_SECRET fallback ('better-auth-secret-123456789'), auto-sign-in as admin, and run arbitrary commands on the host through the built-in SSH terminal. The flaw carries a CVSS 10.0 score with network attack vector and no required privileges, and while no public exploit is identified at time of analysis, the trivially guessable secret makes weaponization straightforward.
Cross-tenant remote code execution in Dokploy 0.26.7 and earlier allows any authenticated user to hijack scheduled tasks belonging to other organizations and execute arbitrary scripts on the Dokploy host or managed remote servers. The schedule router fails to enforce organization and role authorization, so knowledge of a scheduleId/serverId is sufficient to create, modify, or trigger server-type schedules that run attacker-controlled shell commands. No public exploit identified at time of analysis, but the trivial authorization bypass combined with built-in script execution makes this a high-priority issue for multi-tenant Dokploy deployments.
Authenticated path traversal in Dokploy v0.26.5 and earlier (CWE-22) enables arbitrary file write during application deployment, escalating to remote code execution when the affected instance uses the remote server deployment feature. With a CVSS 9.9 score reflecting scope change and full CIA impact, any user with deployment privileges can drop cron jobs onto remote hosts to fully compromise them, bypassing container isolation. No public exploit identified at time of analysis, though the vendor's own GHSA-66v7-g3fh-47h3 advisory characterizes the chain as critical.
Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands on the host.
Dokploy versions before 0.26.6 contain hardcoded database credentials in the installation script, causing nearly all deployments to share identical credentials that can be obtained from the publicly available install.sh file. An authenticated attacker on the network can leverage these credentials to access the database, potentially achieving high-impact compromise of confidentiality, integrity, and availability. Public exploit code exists for this vulnerability and a patch is available in version 0.26.6 and later.
Dokploy versions up to 0.26.6 is affected by improper restriction of rendered ui layers or frames (CVSS 4.7).
CVE-2025-53825 is a critical unauthenticated remote code execution vulnerability in Dokploy versions prior to 0.24.3, where attackers can execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This vulnerability affects all public Dokploy instances utilizing preview deployments and carries a CVSS score of 9.4 (Critical), with no authentication or user interaction required, making it immediately exploitable by any network-adjacent attacker.
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access (e.g., /etc/passwd, application source, environment variable files containing credentials and secrets). This may lead to full compromise of other services or lateral movement. This vulnerability is fixed in 0.23.7.
A security vulnerability in Dokploy (CVSS 4.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Authenticated OS command injection in Dokploy 0.28.8 and earlier lets any organization member execute arbitrary system commands on remote servers managed by the PaaS via the /listen-deployment WebSocket endpoint, resulting in full server compromise. With a CVSS 9.9 (scope changed) and low-privilege precondition, the flaw effectively turns any low-tier org account into a foothold on every connected host. No public exploit identified at time of analysis, but the vendor security advisory (GHSA-r73h-qr3p-hf7f) confirms the issue.
Missing organization-level authorization in Dokploy 0.19.0 and earlier allows authenticated users from one organization to access, modify, and delete resources belonging to other organizations on the same instance. The shared `protectedProcedure` middleware confirms session authentication but never validates that the requested resource belongs to the caller's active organization, exposing 22 endpoints spanning deployments, backups, volume operations, cluster management, and mounts to cross-organization abuse. No public exploit code has been identified at time of analysis, and this CVE has not been added to the CISA KEV catalog.
Authenticated OS command injection in Dokploy 0.28.8 and earlier lets admin or owner users execute arbitrary shell commands on remote servers managed by the PaaS through the application.updateTraefikConfig tRPC endpoint. The flaw stems from unsanitized shell interpolation in an echo call, granting full command execution across any host the Dokploy controller manages. No public exploit identified at time of analysis, but the high-privilege admin context combined with cross-server reach makes this a meaningful post-compromise escalation path.
Remote code execution in Dokploy 0.27.0 through 0.29.2 allows unauthenticated attackers to forge email-verification JWTs using a hardcoded BETTER_AUTH_SECRET fallback ('better-auth-secret-123456789'), auto-sign-in as admin, and run arbitrary commands on the host through the built-in SSH terminal. The flaw carries a CVSS 10.0 score with network attack vector and no required privileges, and while no public exploit is identified at time of analysis, the trivially guessable secret makes weaponization straightforward.
Cross-tenant remote code execution in Dokploy 0.26.7 and earlier allows any authenticated user to hijack scheduled tasks belonging to other organizations and execute arbitrary scripts on the Dokploy host or managed remote servers. The schedule router fails to enforce organization and role authorization, so knowledge of a scheduleId/serverId is sufficient to create, modify, or trigger server-type schedules that run attacker-controlled shell commands. No public exploit identified at time of analysis, but the trivial authorization bypass combined with built-in script execution makes this a high-priority issue for multi-tenant Dokploy deployments.
Authenticated path traversal in Dokploy v0.26.5 and earlier (CWE-22) enables arbitrary file write during application deployment, escalating to remote code execution when the affected instance uses the remote server deployment feature. With a CVSS 9.9 score reflecting scope change and full CIA impact, any user with deployment privileges can drop cron jobs onto remote hosts to fully compromise them, bypassing container isolation. No public exploit identified at time of analysis, though the vendor's own GHSA-66v7-g3fh-47h3 advisory characterizes the chain as critical.
Dokploy self-hosted PaaS prior to 0.26.6 has a critical command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands on the host.
Dokploy versions before 0.26.6 contain hardcoded database credentials in the installation script, causing nearly all deployments to share identical credentials that can be obtained from the publicly available install.sh file. An authenticated attacker on the network can leverage these credentials to access the database, potentially achieving high-impact compromise of confidentiality, integrity, and availability. Public exploit code exists for this vulnerability and a patch is available in version 0.26.6 and later.
Dokploy versions up to 0.26.6 is affected by improper restriction of rendered ui layers or frames (CVSS 4.7).
CVE-2025-53825 is a critical unauthenticated remote code execution vulnerability in Dokploy versions prior to 0.24.3, where attackers can execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This vulnerability affects all public Dokploy instances utilizing preview deployments and carries a CVSS score of 9.4 (Critical), with no authentication or user interaction required, making it immediately exploitable by any network-adjacent attacker.
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7.
Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access (e.g., /etc/passwd, application source, environment variable files containing credentials and secrets). This may lead to full compromise of other services or lateral movement. This vulnerability is fixed in 0.23.7.
A security vulnerability in Dokploy (CVSS 4.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.