Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities by dokku
CVE-2026-54636 (GCVE-0-2026-54636)
Vulnerability from nvd – Published: 2026-06-26 16:23 – Updated: 2026-06-29 13:28
VLAI
Title
Dokku: OS Command Injection via app.json managed Cron
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, > or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8672 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:28:46.363010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:28:56.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, \u003e or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:23:58.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w"
},
{
"name": "https://github.com/dokku/dokku/pull/8672",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8672"
}
],
"source": {
"advisory": "GHSA-72vm-7pc2-x95w",
"discovery": "UNKNOWN"
},
"title": "Dokku: OS Command Injection via app.json managed Cron"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54636",
"datePublished": "2026-06-26T16:23:58.377Z",
"dateReserved": "2026-06-15T20:07:02.185Z",
"dateUpdated": "2026-06-29T13:28:56.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45408 (GCVE-0-2026-45408)
Vulnerability from nvd – Published: 2026-06-26 16:19 – Updated: 2026-06-26 18:41
VLAI
Title
Dokku: OS Command Injection via App Name in Git Pre-Receive Hook
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8590 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T18:14:28.682565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:41:32.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (\u003c\u003cEOF instead of \u003c\u003c\u0027EOF\u0027) in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:19:56.118Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-9x85-7gxq-fcr3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-9x85-7gxq-fcr3"
},
{
"name": "https://github.com/dokku/dokku/pull/8590",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8590"
}
],
"source": {
"advisory": "GHSA-9x85-7gxq-fcr3",
"discovery": "UNKNOWN"
},
"title": "Dokku: OS Command Injection via App Name in Git Pre-Receive Hook"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45408",
"datePublished": "2026-06-26T16:19:56.118Z",
"dateReserved": "2026-05-12T01:48:40.452Z",
"dateUpdated": "2026-06-26T18:41:32.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45407 (GCVE-0-2026-45407)
Vulnerability from nvd – Published: 2026-06-26 16:21 – Updated: 2026-06-26 18:06
VLAI
Title
Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8589 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T18:05:54.597071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:06:03.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash\u0027s touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary\u0027s built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:21:25.215Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr"
},
{
"name": "https://github.com/dokku/dokku/pull/8589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8589"
}
],
"source": {
"advisory": "GHSA-xh7p-9crg-pchr",
"discovery": "UNKNOWN"
},
"title": "Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45407",
"datePublished": "2026-06-26T16:21:25.215Z",
"dateReserved": "2026-05-12T01:48:40.452Z",
"dateUpdated": "2026-06-26T18:06:03.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45406 (GCVE-0-2026-45406)
Vulnerability from nvd – Published: 2026-06-26 16:22 – Updated: 2026-06-26 18:30
VLAI
Title
Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app's next deploy. This vulnerability is fixed in 0.38.2.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8588 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T18:30:39.843727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:30:50.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app\u0027s openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app\u0027s next deploy. This vulnerability is fixed in 0.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:22:17.290Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-ggqh-98fj-8mg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-ggqh-98fj-8mg9"
},
{
"name": "https://github.com/dokku/dokku/pull/8588",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8588"
}
],
"source": {
"advisory": "GHSA-ggqh-98fj-8mg9",
"discovery": "UNKNOWN"
},
"title": "Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45406",
"datePublished": "2026-06-26T16:22:17.290Z",
"dateReserved": "2026-05-12T01:48:40.451Z",
"dateUpdated": "2026-06-26T18:30:50.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45405 (GCVE-0-2026-45405)
Vulnerability from nvd – Published: 2026-06-26 16:23 – Updated: 2026-06-26 16:50
VLAI
Title
Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user — including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8591 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:49:35.215582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:50:07.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user \u2014 including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:23:05.454Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-j6qq-xg73-ghqg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-j6qq-xg73-ghqg"
},
{
"name": "https://github.com/dokku/dokku/pull/8591",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8591"
}
],
"source": {
"advisory": "GHSA-j6qq-xg73-ghqg",
"discovery": "UNKNOWN"
},
"title": "Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45405",
"datePublished": "2026-06-26T16:23:05.454Z",
"dateReserved": "2026-05-12T01:48:40.451Z",
"dateUpdated": "2026-06-26T16:50:07.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-54636 (GCVE-0-2026-54636)
Vulnerability from cvelistv5 – Published: 2026-06-26 16:23 – Updated: 2026-06-29 13:28
VLAI
Title
Dokku: OS Command Injection via app.json managed Cron
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, > or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8672 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:28:46.363010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:28:56.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, \u003e or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:23:58.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w"
},
{
"name": "https://github.com/dokku/dokku/pull/8672",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8672"
}
],
"source": {
"advisory": "GHSA-72vm-7pc2-x95w",
"discovery": "UNKNOWN"
},
"title": "Dokku: OS Command Injection via app.json managed Cron"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54636",
"datePublished": "2026-06-26T16:23:58.377Z",
"dateReserved": "2026-06-15T20:07:02.185Z",
"dateUpdated": "2026-06-29T13:28:56.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45405 (GCVE-0-2026-45405)
Vulnerability from cvelistv5 – Published: 2026-06-26 16:23 – Updated: 2026-06-26 16:50
VLAI
Title
Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user — including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8591 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:49:35.215582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:50:07.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user \u2014 including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:23:05.454Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-j6qq-xg73-ghqg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-j6qq-xg73-ghqg"
},
{
"name": "https://github.com/dokku/dokku/pull/8591",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8591"
}
],
"source": {
"advisory": "GHSA-j6qq-xg73-ghqg",
"discovery": "UNKNOWN"
},
"title": "Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45405",
"datePublished": "2026-06-26T16:23:05.454Z",
"dateReserved": "2026-05-12T01:48:40.451Z",
"dateUpdated": "2026-06-26T16:50:07.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45406 (GCVE-0-2026-45406)
Vulnerability from cvelistv5 – Published: 2026-06-26 16:22 – Updated: 2026-06-26 18:30
VLAI
Title
Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app's next deploy. This vulnerability is fixed in 0.38.2.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8588 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T18:30:39.843727Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:30:50.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app\u0027s openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app\u0027s next deploy. This vulnerability is fixed in 0.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:22:17.290Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-ggqh-98fj-8mg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-ggqh-98fj-8mg9"
},
{
"name": "https://github.com/dokku/dokku/pull/8588",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8588"
}
],
"source": {
"advisory": "GHSA-ggqh-98fj-8mg9",
"discovery": "UNKNOWN"
},
"title": "Dokku: Host RCE via Maliciously Named OpenResty Include Files Injected Through eval"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45406",
"datePublished": "2026-06-26T16:22:17.290Z",
"dateReserved": "2026-05-12T01:48:40.451Z",
"dateUpdated": "2026-06-26T18:30:50.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45407 (GCVE-0-2026-45407)
Vulnerability from cvelistv5 – Published: 2026-06-26 16:21 – Updated: 2026-06-26 18:06
VLAI
Title
Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8589 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T18:05:54.597071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:06:03.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash\u0027s touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary\u0027s built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:21:25.215Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr"
},
{
"name": "https://github.com/dokku/dokku/pull/8589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8589"
}
],
"source": {
"advisory": "GHSA-xh7p-9crg-pchr",
"discovery": "UNKNOWN"
},
"title": "Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45407",
"datePublished": "2026-06-26T16:21:25.215Z",
"dateReserved": "2026-05-12T01:48:40.452Z",
"dateUpdated": "2026-06-26T18:06:03.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45408 (GCVE-0-2026-45408)
Vulnerability from cvelistv5 – Published: 2026-06-26 16:19 – Updated: 2026-06-26 18:41
VLAI
Title
Dokku: OS Command Injection via App Name in Git Pre-Receive Hook
Summary
Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.
Severity
9 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/dokku/dokku/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/dokku/dokku/pull/8590 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T18:14:28.682565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:41:32.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dokku",
"vendor": "dokku",
"versions": [
{
"status": "affected",
"version": "\u003c 0.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (\u003c\u003cEOF instead of \u003c\u003c\u0027EOF\u0027) in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:19:56.118Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dokku/dokku/security/advisories/GHSA-9x85-7gxq-fcr3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dokku/dokku/security/advisories/GHSA-9x85-7gxq-fcr3"
},
{
"name": "https://github.com/dokku/dokku/pull/8590",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dokku/dokku/pull/8590"
}
],
"source": {
"advisory": "GHSA-9x85-7gxq-fcr3",
"discovery": "UNKNOWN"
},
"title": "Dokku: OS Command Injection via App Name in Git Pre-Receive Hook"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45408",
"datePublished": "2026-06-26T16:19:56.118Z",
"dateReserved": "2026-05-12T01:48:40.452Z",
"dateUpdated": "2026-06-26T18:41:32.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}