CVE-2026-27130

Name of the Vulnerable Software and Affected Versions Dokploy versions prior to 0.26.7

Description OS command injection occurs due to inadequate input sanitization, lack of schema validation, and direct shell interpolation. User-controlled application names are processed by the cleanAppName() function, which only replaces spaces and converts text to lowercase, before being interpolated into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters such as ;, $(), backticks, |, or & into the appName parameter during application creation. These commands are executed with server-level privileges when service operations like start, stop, remove, or scale are triggered.

Recommendations Update to version 0.26.7. As a temporary workaround, restrict the use of the appName parameter to alphanumeric characters only until the update is applied.