Published : May 18, 2026, 9:16 p.m. | 3 hours, 5 minutes ago
Description :Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.
Severity: 9.9 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-27130
N/A
Immediately assess all systems running the 'AcmeCorp WebApp Framework' (AWF) to identify instances utilizing the 'Template Processor' component. Given the nature of a Remote Code Execution (RCE) vulnerability, the primary goal is containment and pre-emptive defense.
a. Network Isolation: If possible, isolate critical affected systems or segments of the network hosting these systems. Restrict network access to the vulnerable applications to only essential, trusted users or internal networks.
b. Disable Vulnerable Functionality: As a temporary measure, if the application design allows, disable or severely restrict the functionality that utilizes the AWF Template Processor for untrusted input. This might involve switching to a simpler, non-evaluating templating mechanism or disabling specific features that expose template rendering to user input.
c. Web Application Firewall (WAF) Rules: Deploy or update WAF rules to block common RCE payloads targeting template engines. Focus on patterns related to expression language injection, command execution, and unusual character sequences often used in exploits. Examples include blocking common Java/Python/PHP code execution functions or specific template engine syntax that allows arbitrary method invocation.
d. Monitor for Exploitation: Immediately initiate enhanced monitoring of application logs, web server access logs, and system logs (e.g., process creation, network connections) for any signs of compromise. Look for unusual activity originating from the web application process, such as unexpected child processes, outbound network connections to unknown destinations, or file modifications