CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-45408

criticalCVSS 9covered by 1 sourcefirst seen 2026-06-26
Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.

⚡ Watch CVE-2026-45408

Get an email if CVE-2026-45408 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-45408

CVE.org record

Embed the live status

CVE-2026-45408 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-45408 status](https://www.csirts.com/badge/CVE-2026-45408)](https://www.csirts.com/cve/CVE-2026-45408)