CVE-2026-45663 CRITICAL

CVE-2026-45663: Dokploy: Remote Code Execution via destinationPath in Container File Upload

Vendor Dokploy
Product dokploy
Weakness CWE-77
Published May 29, 2026
Last update May 29, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated