28 matches found
CVE-2026-43917
CVE-2026-43917 (Dokploy) describes an IDOR due to a missing organization scoping check in the protectedProcedure middleware prior to 0.19.0. The middleware only validates authentication, not that the resource’s organization matches the session’s activeOrganizationId, enabling cross-organization a...
CVE-2026-45631 Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret
Dokploy is a free, self-hostable Platform as a Service PaaS. From 0.27.0 to before 0.29.3, a hardcoded BETTERAUTHSECRET fallback "better-auth-secret-123456789" lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the...
EUVD-2026-33355
Dokploy is a free, self-hostable Platform as a Service PaaS. From 0.27.0 to before 0.29.3, a hardcoded BETTERAUTHSECRET fallback "better-auth-secret-123456789" lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the...
CVE-2026-45631 Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret
Dokploy is a free, self-hostable Platform as a Service PaaS. From 0.27.0 to before 0.29.3, a hardcoded BETTERAUTHSECRET fallback "better-auth-secret-123456789" lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the...
CVE-2026-45661 Dokploy: Remote Code Execution through Path Traversal
Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote serve...
Dokploy 操作系统命令注入漏洞
Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy 0.28.8 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from authenticated OS command injections at the WebSocket endpoints, allowing any member of an...
Dokploy 操作系统命令注入漏洞
Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy prior to 0.29.0 contained a vulnerability related to operating system command injection. This vulnerability arose because the deleteRegistry function executed the docker logout command without proper shell escapin...
Dokploy 安全漏洞
Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy 0.26.6 and earlier contain security vulnerabilities. These vulnerabilities stem from command injection in the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated directly into...
Dokploy 操作系统命令注入漏洞
Dokploy is an open-source software developed by Dokploy itself. Versions of Dokploy 0.26.6 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from insufficient cleanup of the appName parameter input, lack of pattern validation, and dire...
CVE-2026-24841
Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint /docker-container-terminal. The containerId and activeWay parameters are directly interpolated into shell commands without...
CVE-2026-24839
Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into...
CVE-2026-24840
Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, a hardcoded credential in the provided installation script located at https://dokploy.com/install.sh, line 154 uses a hardcoded password when creating the database container. This means that nearly all Dokpl...
EUVD-2025-21402
Malicious code in bioql PyPI...
EUVD-2025-20274
Malicious code in bioql PyPI...
CVE-2025-53825
Dokploy is a free, self-hostable Platform as a Service PaaS. Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This...
CVE-2025-53825
Dokploy is a free, self-hostable Platform as a Service PaaS. Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This...
CVE-2025-53825
Dokploy (PaaS) unreleased/preview deployments feature: prior to 0.24.3, unauthenticated preview deployments allow any user to execute arbitrary code and read sensitive environment variables by opening a pull request in a public repository. This is described as a remote code execution risk affecti...
CVE-2025-53825 Dokploy's Preview Deployments are vulnerable to Remote Code Execution
Dokploy is a free, self-hostable Platform as a Service PaaS. Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This...
CVE-2025-53825 Dokploy's Preview Deployments are vulnerable to Remote Code Execution
Dokploy is a free, self-hostable Platform as a Service PaaS. Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This...
PT-2025-29520 · Dokploy · Dokploy
Name of the Vulnerable Software and Affected Versions: Dokploy versions prior to 0.24.3 Description: Dokploy is a free, self-hostable Platform as a Service PaaS. A vulnerability in the preview deployment feature allows any user to execute arbitrary code and access sensitive environment variables ...