CVE•Published 2026-05-26•Modified 2026-05-29•1 article on news•6 live references•NVD data

CVE-2026-44985Amirraminfar · Dozzle

Vulnerability data via NVD (ingested)

CVSS v3.1

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS percentile

—

Weaknesses (CWE)

CWE-346Origin Validation Error

Description

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables Cross-Site WebSocket Hijacking (CSWSH). An attacker hosting a page on a same-site origin (e.g., a sibling subdomain, or another service on localhost) can initiate a WebSocket connection to the exec endpoint that carries the victim's valid JWT cookie, gaining interactive shell access in any container the victim is authorized to access. This vulnerability is fixed in 10.5.2.

Timeline

Published 2026-05-26

Modified 2026-05-29

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-44985

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Amirraminfar Dozzle"

All exposed Amirraminfar Dozzle instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Dozzle"

HTTP body or banner mentions "Dozzle" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-44985