CVE-2026-45662 Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.29.0 and earlier, the deleteRegistry function in Dokploy packages/server/src/services/registry.ts executes docker logout $response.registryUrl without shell escaping. In the same file, the docker login command correctly uses shEsca...

CVE-2026-45662

Dokploy (PaaS) vulnerability CVE-2026-45662 affects deleteRegistry in packages/server/src/services/registry.ts. In 0.29.0 and earlier, docker logout ${response.registryUrl} is executed without shell escaping, while docker login uses shEscape() to prevent injection. This inconsistency enables a po...

CVE-2026-45662 Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.29.0 and earlier, the deleteRegistry function in Dokploy packages/server/src/services/registry.ts executes docker logout $response.registryUrl without shell escaping. In the same file, the docker login command correctly uses shEsca...

EUVD-2026-33349

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.29.0 and earlier, the deleteRegistry function in Dokploy packages/server/src/services/registry.ts executes docker logout $response.registryUrl without shell escaping. In the same file, the docker login command correctly uses shEsca...

PT-2026-44903

Name of the Vulnerable Software and Affected Versions Dokploy versions prior to 0.29.1 Description Dokploy is a self-hostable Platform as a Service PaaS. A command injection issue exists in the deleteRegistry function within the packages/server/src/services/registry.ts file. The application...