A command injection flaw exists in Dokploy’s WebSocket endpoint used for launching terminal sessions inside Docker containers. The "containerId" and "activeWay" fields are placed directly into a shell command without any sanitization, enabling an attacker who has authenticated access to inject arbitrary shell commands. Successful exploitation grants the attacker unrestricted execution on the host operating system, thereby compromising confidentiality, integrity, and availability of the entire environment.

The vulnerability impacts all installations of Dokploy running a version older than 0.26.6. Versions 0.26.6 and later have fixed the flaw. The affected product is the self‑hosted Platform as a Service application Dokploy, as identified by the vendor package name dokploy.

The CVSS rating of 9.9 classifies this issue as critical, reflecting the high impact and the fact that it is reachable by an authenticated user through the WebSocket interface. Although the EPSS score is reported as less than 1%, indicating a low probability of immediate exploitation, the lack of entry in the CISA KEV catalog does not diminish the need for swift action. The attack vector is remote, requiring authentication but not privileged local access beyond the permitted user role. The combination of severe impact and a low but non‑zero exploitation probability means that any environment running a vulnerable Dokploy version should treat this as a top‑priority vulnerability.