Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and e…

CVE-2026-45628 affects Dokploy, a self-hostable Platform as a Service (PaaS), in versions 0.29.2 and earlier. The vulnerability involves command injection through JavaScript template literals where user-supplied branch names, repository URLs, and Docker credentials are interpolated directly into shell commands without proper escaping. Commands are executed via child_process.exec() through /bin/sh -c. Exploitation requires an authenticated user with application create/edit privileges. This represents a critical security flaw in the platform's command construction mechanism.