What is CVE-2026-54636?

CVE-2026-54636 is a critical-severity vulnerability in Dokku, classified under OS Command Injection. CVSS score: 9.0/10. Published 2026-06-26.

How severe is CVE-2026-54636?

Critical severity. CVSS v3 base score is 9.0 out of 10.

RCE in Dokku

CVE-2026-54636

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limit…

Vulnerability class: Command Injection (OS Command Injection)

CVSS v3 metric

CVSS v3 base score 9.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H.

Affected products

Dokku — versions < 0.38.7

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
security-advisories@github.com (Patch, x_refsource_MISC, Issue Tracking)

Frequently asked questions

What is CVE-2026-54636?: CVE-2026-54636 is a critical-severity vulnerability in Dokku, classified under OS Command Injection. CVSS score: 9.0/10. Published 2026-06-26.
How severe is CVE-2026-54636?: Critical severity. CVSS v3 base score is 9.0 out of 10.