CVE-2026-58455 PUBLISHED

Dockwatch 0.6.567 Unauthenticated OS Command Injection via ajax/compose.php

Assigner: VulnCheck
Reserved: 30.06.2026 Published: 02.07.2026 Updated: 02.07.2026

Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compose.php. Attackers can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action to achieve full host compromise, facilitated by the standard deployment mounting of the Docker socket.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor Notifiarr
Product dockwatch
Versions Default: affected
  • affected from 0 to 0.6.567 (incl.)

Credits

  • rayyb0t (https://github.com/rayyb0t) finder

References

Problem Types

  • Execution After Redirect (EAR) CWE
  • Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE