CVE-2026-45406

Name: CVE-2026-45406
Creator: NVD / NIST
Published: 2026-06-26T17:16:33.15+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10

Last modified Jun 26, 2026

CVE-2026-45406 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval.

Description

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app's next deploy. This vulnerability is fixed in 0.38.2.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness Enumeration

CWE-95

Affected Software

Vendor	Product	Versions
Dokku	Dokku	< 0.38.2

References

https://github.com/dokku/dokku/pull/8588Issue Tracking, Patch
https://github.com/dokku/dokku/security/advisories/GHSA-ggqh-98fj-8mg9Vendor Advisory

Timeline

Published: Jun 26, 2026
Last Modified: Jun 26, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-45406?

How severe is CVE-2026-45406?

CVE-2026-45406 has a CVSS score of 8.8/10 (HIGH severity).

How do I fix CVE-2026-45406?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-45406?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST