← Back to CVEs
CVE-2026-24839
MEDIUM4.7
Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue.
CVE Details
CVSS v3.1 Score4.7
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionREQUIRED
Published1/28/2026
Last Modified2/4/2026
Sourcenvd
Honeypot Sightings0
Affected Products
dokploy:dokploy
Weaknesses (CWE)
CWE-1021
References
https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8(security-advisories@github.com)
https://github.com/Dokploy/dokploy/pull/3500(security-advisories@github.com)
https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.