Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-45628 -- CVSS 9.6 Vulnerability Briefing

CVE-2026-45628 | CVSS 9.6 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-45628 is a command injection vulnerability in Dokploy, a self-hostable open-source Platform as a Service application, affecting version 0.29.2 and earlier, where unsanitized user input is incorporated into shell commands constructed via JavaScript template literals and executed through Node.js child_process.exec().

Technical Detail

The flaw arises because Dokploy builds shell command strings by interpolating user-controlled values directly into JavaScript template literals without adequate sanitization or escaping before passing them to child_process.exec(), which invokes a system shell and is therefore susceptible to shell metacharacter injection. An attacker who can supply crafted input to the affected code path can break out of the intended command context and inject arbitrary shell commands. Successful exploitation results in remote code execution (RCE) on the host running the Dokploy instance, with the process privileges of the Node.js application, which in self-hosted PaaS deployments is frequently elevated.

Exploitation Status

No known exploit exists for this vulnerability at this time. The exploit maturity is currently unverified, and no public proof-of-concept code has been confirmed. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of June 05, 2026. The critical CVSS score of 9.6 reflects the theoretical severity of the flaw, not confirmed active exploitation.

Who Is Targeting This

No confirmed threat actor attribution has been established for this vulnerability. Reported (research-inferred, medium confidence): BLACKOASIS, COPYKITTENS, GALLMAKER, EVILNUM, and LOTUSBLOSSOM have been associated with this CVE in threat intelligence reporting, though the basis for these associations has not been independently verified and motivations remain unknown for each. These attributions should be treated as preliminary and not as confirmed operational targeting.

What To Do

Operators running Dokploy 0.29.2 or earlier should upgrade to the latest available release as the primary remediation step. Given the critical CVSS score and the nature of RCE via command injection, patching should be treated as high priority, particularly for internet-exposed instances. If immediate patching is not feasible, restrict network access to the Dokploy management interface to trusted IP ranges only and ensure the application does not run with root or elevated system privileges. Monitor process execution logs for anomalous child process spawning from the Dokploy application process, and review shell command execution logs for unexpected metacharacters or command chaining patterns such as semicolons, pipes, or backtick sequences in command arguments.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →