Lucene search
+L

34 matches found

nvd
nvd
added 2026/06/26 5:16 p.m.14 views

CVE-2026-54636

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, or ; - can break out of the Docker container and...

9.9CVSS0.00274EPSS
Exploits0References2
nvd
nvd
added 2026/06/26 5:16 p.m.10 views

CVE-2026-45407

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKUROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user wh...

5.5CVSS0.00089EPSS
Exploits0References2
nvd
nvd
added 2026/06/26 5:16 p.m.9 views

CVE-2026-45406

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename...

9CVSS0.00274EPSS
Exploits0References2
nvd
nvd
added 2026/06/26 5:16 p.m.11 views

CVE-2026-45405

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequen...

9CVSS0.00289EPSS
Exploits0References2
nvd
nvd
added 2026/06/26 5:16 p.m.9 views

CVE-2026-45408

Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex ^a-z0-9^/:A-Z$ permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc EOF...

9CVSS0.00234EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/26 4:23 p.m.35 views

CVE-2026-54636 Dokku: OS Command Injection via app.json managed Cron

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, or ; - can break out of the Docker container and...

9CVSS0.00274EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/26 4:23 p.m.7 views

CVE-2026-54636

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, or ; - can break out of the Docker container and...

9.9CVSS5.9AI score0.00274EPSS
Exploits0References3Affected Software1
euvd
euvd
added 2026/06/26 4:23 p.m.9 views

EUVD-2026-39806

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, or ; - can break out of the Docker container and...

9.9CVSS5.9AI score0.00274EPSS
Exploits0References2
osv
osv
added 2026/06/26 4:23 p.m.4 views

CVE-2026-54636 Dokku: OS Command Injection via app.json managed Cron

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, or ; - can break out of the Docker container and...

9CVSS6.1AI score0.00274EPSS
Exploits0References4
cve
cve
added 2026/06/26 4:23 p.m.22 views

CVE-2026-54636

CVE-2026-54636 concerns Dokku’s cron plugin, which prior to 0.38.7 used commands from app.json to manage system cron for the Dokku user. A cron entry containing shell metacharacters (e.g., >, ;) can escape the container and run commands on the host as the Dokku user, enabling OS command inject...

9.9CVSS5.9AI score0.00274EPSS
Exploits0References2Affected Software1
euvd
euvd
added 2026/06/26 4:23 p.m.7 views

EUVD-2026-39804

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequen...

9CVSS5.9AI score0.00289EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/26 4:23 p.m.9 views

CVE-2026-45405

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequen...

9CVSS5.9AI score0.00289EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 2026/06/26 4:23 p.m.39 views

CVE-2026-45405 Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequen...

9CVSS0.00289EPSS
Exploits0References2
osv
osv
added 2026/06/26 4:23 p.m.3 views

CVE-2026-45405 Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequen...

9CVSS6AI score0.00289EPSS
Exploits0References4
cve
cve
added 2026/06/26 4:23 p.m.20 views

CVE-2026-45405

Dokku before 0.38.2 is affected by a file-write vulnerability in tar extraction during git:from-archive and certs:add. User-supplied tar/zip archives are extracted into temporary directories without sanitizing member paths or preventing symlink traversal; GNU tar can create and follow symlinks, e...

9CVSS5.9AI score0.00289EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/06/26 4:22 p.m.34 views

CVE-2026-45406 Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename...

9CVSS0.00274EPSS
Exploits0References2
cve
cve
added 2026/06/26 4:22 p.m.24 views

CVE-2026-45406

Technical details are not publicly available in the provided documents; monitor for updates.

9CVSS6.1AI score0.00274EPSS
Exploits0References2Affected Software1
euvd
euvd
added 2026/06/26 4:22 p.m.8 views

EUVD-2026-39803

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename...

9CVSS6.1AI score0.00274EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/26 4:22 p.m.7 views

CVE-2026-45406

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename...

9CVSS6.1AI score0.00274EPSS
Exploits0References3Affected Software1
osv
osv
added 2026/06/26 4:22 p.m.4 views

CVE-2026-45406 Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename...

9CVSS6.2AI score0.00274EPSS
Exploits0References4
Rows per page
Query Builder