An authenticated OS command injection vulnerability in Dokploy allows attackers to achieve server-level code execution, leading to full system compromise.

The application fails to properly sanitize the appName parameter before passing it to system shell commands, allowing an authenticated attacker to inject shell metacharacters.

The CVSS score of 9.9 reflects the high severity of this command injection. An authenticated attacker can escalate their access to full server control, potentially destroying the PaaS environment or gaining access to all hosted applications and their associated data.

Immediate Action: Upgrade Dokploy to version 0.26.7 or later.

Proactive Monitoring: Review application logs for unexpected shell commands or character sequences in the appName field.

Compensating Controls: Implement strict input validation on the application creation interface and limit user access to sensitive administrative functions.

Public Exploit Available: No