CVE-2026-45663 – Dokploy: Remote Code Execution via destinationPath in Container File Upload

CVE ID :CVE-2026-45663

Published : May 29, 2026, 4:16 p.m. | 15 minutes ago

Description :Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or “, an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.

Severity: 9.9 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-7786 – Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter Use of Hard-coded Credentials

CVE-2026-6824 – CP Plus 8 Ch. Network Video Recorder Cross-site Scripting

CVE-2026-5768 – Fourth Frontier Frontier X Mobile Application, Frontier X2 Missing Authentication for Critical Function

CVE-2026-5386 – KMW CCTV Security Cameras Unverified Password Change