Vulnerability Database

322,129

Total vulnerabilities in the database

CVE-2026-24841

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint /docker-container-terminal. The containerId and activeWay parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.

Published: Jan 28, 2026
Updated: Feb 5, 2026
CVE: CVE-2026-24841
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
dokploy / dokploy	-	0.26.6

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo