CVE-2026-43917

CVE-2026-43917 (Dokploy) describes an IDOR due to a missing organization scoping check in the protectedProcedure middleware prior to 0.19.0. The middleware only validates authentication, not that the resource’s organization matches the session’s activeOrganizationId, enabling cross-organization a...

EUVD-2026-33355

Dokploy is a free, self-hostable Platform as a Service PaaS. From 0.27.0 to before 0.29.3, a hardcoded BETTERAUTHSECRET fallback "better-auth-secret-123456789" lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the...

CVE-2026-45631 Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret

Dokploy is a free, self-hostable Platform as a Service PaaS. From 0.27.0 to before 0.29.3, a hardcoded BETTERAUTHSECRET fallback "better-auth-secret-123456789" lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the...

Dokploy 操作系统命令注入漏洞

Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy prior to 0.29.0 contained a vulnerability related to operating system command injection. This vulnerability arose because the deleteRegistry function executed the docker logout command without proper shell escapin...

Dokploy 安全漏洞

Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy 0.26.6 and earlier contain security vulnerabilities. These vulnerabilities stem from command injection in the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated directly into...

Dokploy 操作系统命令注入漏洞

Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy 0.28.8 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from authenticated OS command injections at the WebSocket endpoints, allowing any member of an...

Dokploy 操作系统命令注入漏洞

Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy 0.26.6 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from insufficient cleanup of the appName parameter input, lack of pattern validation, and dire...

CVE-2026-24841

Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint /docker-container-terminal. The containerId and activeWay parameters are directly interpolated into shell commands without...

CVE-2026-24839

Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into...

CVE-2026-24840

Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, a hardcoded credential in the provided installation script located at https://dokploy.com/install.sh, line 154 uses a hardcoded password when creating the database container. This means that nearly all Dokpl...

EUVD-2025-20274

Malicious code in bioql PyPI...

EUVD-2025-21402

Malicious code in bioql PyPI...

CVE-2025-53825

Dokploy is a free, self-hostable Platform as a Service PaaS. Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This...

CVE-2025-53825

Dokploy is a free, self-hostable Platform as a Service PaaS. Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This...

CVE-2025-53825 Dokploy's Preview Deployments are vulnerable to Remote Code Execution

Dokploy is a free, self-hostable Platform as a Service PaaS. Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This...

CVE-2025-53825 Dokploy's Preview Deployments are vulnerable to Remote Code Execution

Dokploy is a free, self-hostable Platform as a Service PaaS. Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This...

CVE-2025-53825

Dokploy (PaaS) unreleased/preview deployments feature: prior to 0.24.3, unauthenticated preview deployments allow any user to execute arbitrary code and read sensitive environment variables by opening a pull request in a public repository. This is described as a remote code execution risk affecti...

PT-2025-29520 · Dokploy · Dokploy

Name of the Vulnerable Software and Affected Versions: Dokploy versions prior to 0.24.3 Description: Dokploy is a free, self-hostable Platform as a Service PaaS. A vulnerability in the preview deployment feature allows any user to execute arbitrary code and access sensitive environment variables ...

CVE-2025-53375

Dokploy is a self-hostable Platform as a Service PaaS that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access e.g., /etc/passwd, application source, environment variable files containing...

CVE-2025-53374

Dokploy is a self-hostable Platform as a Service PaaS that simplifies the deployment and management of applications and databases. An authenticated low-privileged account can retrieve detailed profile information about another users in the same organization by directly invoking user.one. The...