CVE-2026-45628— Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45628
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline
Source: NVD (National Vulnerability Database)
Vulnerability Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45628
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45628
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45628 (1)
Same Patch Batch · Dokploy · 2026-05-29 · 10 CVEs total
| CVE-2026-45631 | 10.0 CRITICAL | Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret |
| CVE-2026-45663 | 9.9 CRITICAL | Dokploy: Remote Code Execution via destinationPath in Container File Upload |
| CVE-2026-45629 | 9.9 CRITICAL | Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment W |
| CVE-2026-45632 | 9.9 CRITICAL | Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution |
| CVE-2026-45661 | 9.9 CRITICAL | Dokploy: Remote Code Execution through Path Traversal |
| CVE-2026-45633 | 9.9 CRITICAL | Dokploy: Command Injection in /docker-container-logs Endpoint |
| CVE-2026-45630 | 9.0 CRITICAL | Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig |
| CVE-2026-45662 | 8.8 HIGH | Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deleti |
| CVE-2026-43917 | Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId va |
IV. Related Vulnerabilities
Same product: dokploy
- CVE-2026-45629
Dokploy: Authenticated Remote Code Execution via Command Inj - CVE-2026-43917
Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints m - CVE-2026-45630
Dokploy: Authenticated Remote Code Execution via Command Inj - CVE-2026-45631
Dokploy: Pre-Auth Admin Takeover via Hardcoded Authenticatio - CVE-2026-45632
Dokploy: Schedule Authorization Bypass Enables Host/Server C
Same vendor: Dokploy
- CVE-2026-45629
Dokploy: Authenticated Remote Code Execution via Command Inj - CVE-2026-43917
Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints m - CVE-2026-45630
Dokploy: Authenticated Remote Code Execution via Command Inj - CVE-2026-45631
Dokploy: Pre-Auth Admin Takeover via Hardcoded Authenticatio - CVE-2026-45632
Dokploy: Schedule Authorization Bypass Enables Host/Server C
Same weakness: CWE-20
V. Comments for CVE-2026-45628
No comments yet