Dokku vulnerabilities
5 known vulnerabilities affecting dokku/dokku.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-54636P2CRITICALCVSS 9.9fixed in 0.38.72026-06-26
CVE-2026-54636 [CRITICAL] CWE-78 CVE-2026-54636: Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json f
Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, > or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This
nvd
CVE-2026-45405P2HIGHCVSS 8.8fixed in 0.38.22026-06-26
CVE-2026-45405 [HIGH] CWE-59 CVE-2026-45405: Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files
nvd
CVE-2026-45406P3HIGHCVSS 8.8fixed in 0.38.22026-06-26
CVE-2026-45406 [HIGH] CWE-95 CVE-2026-45406: Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an ap
Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command
nvd
CVE-2026-45408P3CRITICALCVSS 9.0fixed in 0.38.22026-06-26
CVE-2026-45408 [CRITICAL] CWE-78 CVE-2026-45408: Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$
Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at
nvd
CVE-2026-45407P4MEDIUMCVSS 5.5fixed in 0.38.22026-06-26
CVE-2026-45407 [MEDIUM] CWE-522 CVE-2026-45407: Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc usi
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnera
nvd