CVE-2026-27130
CriticalSummary
Dokploy is a free PaaS that has OS command injection vulnerability through the appName parameter in versions 0.26.6 and below. The issues stem from inadequate input sanitization, lack of schema validation, and direct shell interpolation.
Risk Assessment
The risk is that an authenticated attacker can inject shell metacharacters, leading to unauthorized command execution with server-level privileges. This could result in serious security breaches.
Recommendation
It is recommended to upgrade to version 0.26.7, which resolves this issue. Additionally, implementing further input sanitization and validation mechanisms is advisable.
Original NVD description (English source)
Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.

