Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and e…

Dokploy Platform as a Service (PaaS) versions 0.29.2 and earlier are vulnerable to command injection through shell command construction using JavaScript template literals. User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into shell commands without proper escaping. The vulnerability is executed via child_process.exec() which runs through /bin/sh -c. Exploitation requires an authenticated user with application create/edit privileges, making this a high-severity issue for affected Dokploy deployments.