Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2026-0031
Vulnerability from csaf_certbund - Published: 2026-01-06 23:00 - Updated: 2026-01-06 23:00Summary
Coolify: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Coolify ist eine Open-Source-Plattform zur Vereinfachung der Bereitstellung und Verwaltung von Anwendungen.
Angriff
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Coolify ausnutzen, um beliebigen Code auszuführen – sogar mit Administratorrechten –, um erweiterte Rechte zu erlangen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, Cross-Site-Scripting-Angriffe durchzuführen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Coolify ist eine Open-Source-Plattform zur Vereinfachung der Bereitstellung und Verwaltung von Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Coolify ausnutzen, um beliebigen Code auszuf\u00fchren \u2013 sogar mit Administratorrechten \u2013, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren, Cross-Site-Scripting-Angriffe durchzuf\u00fchren oder vertrauliche Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0031 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0031.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0031 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0031"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-234r-xrrg-m8f3 vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-24mp-fc9q-c884 vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-24mp-fc9q-c884"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-4fqm-797g-7m6j vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-4p6r-m39m-9cm9 vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4p6r-m39m-9cm9"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-5cg9-38qj-8mc3 vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-688j-rm43-5r8x vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-688j-rm43-5r8x"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-927g-56xp-6427 vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-cj2c-9jx8-j427 vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-cj2c-9jx8-j427"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-f737-2p93-g2cw vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cw"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-h52r-jxv9-9vhf vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-h52r-jxv9-9vhf"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-h5xw-7xvp-xrxr vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-q33h-22xm-4cgh vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-q7rg-2j7p-83gp vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q7rg-2j7p-83gp"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-qwxj-qch7-whpc vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-qx24-jhwj-8w6x vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qx24-jhwj-8w6x"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-vm5p-43qh-7pmq vom 2026-01-06",
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq"
}
],
"source_lang": "en-US",
"title": "Coolify: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-01-06T23:00:00.000+00:00",
"generator": {
"date": "2026-01-07T12:00:21.804+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0031",
"initial_release_date": "2026-01-06T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-01-06T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.0.0-beta.451",
"product": {
"name": "Open Source Coolify \u003c4.0.0-beta.451",
"product_id": "T049743"
}
},
{
"category": "product_version",
"name": "4.0.0-beta.451",
"product": {
"name": "Open Source Coolify 4.0.0-beta.451",
"product_id": "T049743-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:coollabs:coolify:4.0.0-beta.451"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.0.0-beta.436",
"product": {
"name": "Open Source Coolify \u003c4.0.0-beta.436",
"product_id": "T049744"
}
},
{
"category": "product_version",
"name": "4.0.0-beta.436",
"product": {
"name": "Open Source Coolify 4.0.0-beta.436",
"product_id": "T049744-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:coollabs:coolify:4.0.0-beta.436"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.0.0-beta.435",
"product": {
"name": "Open Source Coolify \u003c4.0.0-beta.435",
"product_id": "T049745"
}
},
{
"category": "product_version",
"name": "4.0.0-beta.435",
"product": {
"name": "Open Source Coolify 4.0.0-beta.435",
"product_id": "T049745-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:coollabs:coolify:4.0.0-beta.435"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.0.0-beta.420.7",
"product": {
"name": "Open Source Coolify \u003c4.0.0-beta.420.7",
"product_id": "T049746"
}
},
{
"category": "product_version",
"name": "4.0.0-beta.420.7",
"product": {
"name": "Open Source Coolify 4.0.0-beta.420.7",
"product_id": "T049746-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:coollabs:coolify:4.0.0-beta.420.7"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.0.0-beta.429",
"product": {
"name": "Open Source Coolify \u003c4.0.0-beta.429",
"product_id": "T049747"
}
},
{
"category": "product_version",
"name": "4.0.0-beta.429",
"product": {
"name": "Open Source Coolify 4.0.0-beta.429",
"product_id": "T049747-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:coollabs:coolify:4.0.0-beta.429"
}
}
}
],
"category": "product_name",
"name": "coolify"
}
],
"category": "vendor",
"name": "coollabs"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-59156",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-59156"
},
{
"cve": "CVE-2025-59157",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-59157"
},
{
"cve": "CVE-2025-59158",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-59158"
},
{
"cve": "CVE-2025-59955",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-59955"
},
{
"cve": "CVE-2025-64419",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-64419"
},
{
"cve": "CVE-2025-64420",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-64420"
},
{
"cve": "CVE-2025-64421",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-64421"
},
{
"cve": "CVE-2025-64422",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-64422"
},
{
"cve": "CVE-2025-64423",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-64423"
},
{
"cve": "CVE-2025-64424",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-64424"
},
{
"cve": "CVE-2025-64425",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-64425"
},
{
"cve": "CVE-2025-66209",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-66209"
},
{
"cve": "CVE-2025-66210",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-66210"
},
{
"cve": "CVE-2025-66211",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-66211"
},
{
"cve": "CVE-2025-66212",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-66212"
},
{
"cve": "CVE-2025-66213",
"product_status": {
"known_affected": [
"T049747",
"T049746",
"T049745",
"T049744",
"T049743"
]
},
"release_date": "2026-01-06T23:00:00.000+00:00",
"title": "CVE-2025-66213"
}
]
}
CVE-2025-59156 (GCVE-0-2025-59156)
Vulnerability from cvelistv5 – Published: 2026-01-05 17:39 – Updated: 2026-01-05 19:53
VLAI?
EPSS
Title
Coolify has Docker Compose Injection issue
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.420.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59156",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:53:13.735673Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:53:41.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.420.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify\u0027s application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T17:39:42.702Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr"
}
],
"source": {
"advisory": "GHSA-h5xw-7xvp-xrxr",
"discovery": "UNKNOWN"
},
"title": "Coolify has Docker Compose Injection issue"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59156",
"datePublished": "2026-01-05T17:39:42.702Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2026-01-05T19:53:41.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64419 (GCVE-0-2025-64419)
Vulnerability from cvelistv5 – Published: 2026-01-05 19:16 – Updated: 2026-01-05 19:32
VLAI?
EPSS
Title
Coolify vulnerable to command injection via docker-compose.yaml parameters
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack "docker compose"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue.
Severity ?
9.7 (Critical)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.445
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64419",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:32:08.012357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:32:27.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.445"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pack \"docker compose\"), the attacker can execute commands on the Coolify instance as root. Version 4.0.0-beta.445 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:16:44.379Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-234r-xrrg-m8f3"
},
{
"name": "https://github.com/coollabsio/coolify/commit/f86ccfaa9af572a5487da8ea46b0a125a4854cf6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/commit/f86ccfaa9af572a5487da8ea46b0a125a4854cf6"
}
],
"source": {
"advisory": "GHSA-234r-xrrg-m8f3",
"discovery": "UNKNOWN"
},
"title": "Coolify vulnerable to command injection via docker-compose.yaml parameters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64419",
"datePublished": "2026-01-05T19:16:44.379Z",
"dateReserved": "2025-11-03T22:12:51.363Z",
"dateUpdated": "2026-01-05T19:32:27.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64422 (GCVE-0-2025-64422)
Vulnerability from cvelistv5 – Published: 2026-01-05 20:29 – Updated: 2026-01-05 20:38
VLAI?
EPSS
Title
Rate-limit bypass on login via X-Forwarded-Host header
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited credential stuffing and brute-force attempts against user and admin accounts. As of time of publication, it is unclear if a patch is available.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
>= 4.0.0-beta.434
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:37:59.227248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:38:39.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-beta.434"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header. This enables unlimited credential stuffing and brute-force attempts against user and admin accounts. As of time of publication, it is unclear if a patch is available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:29:34.750Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-688j-rm43-5r8x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-688j-rm43-5r8x"
}
],
"source": {
"advisory": "GHSA-688j-rm43-5r8x",
"discovery": "UNKNOWN"
},
"title": "Rate-limit bypass on login via X-Forwarded-Host header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64422",
"datePublished": "2026-01-05T20:29:34.750Z",
"dateReserved": "2025-11-03T22:12:51.364Z",
"dateUpdated": "2026-01-05T20:38:39.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66211 (GCVE-0-2025-66211)
Vulnerability from cvelistv5 – Published: 2025-12-23 22:00 – Updated: 2026-01-06 15:45
VLAI?
EPSS
Title
Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in PostgreSQL Init Script Filename
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.451
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T15:15:51.065280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T15:16:10.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.451"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T15:45:48.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-24mp-fc9q-c884",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-24mp-fc9q-c884"
},
{
"name": "https://github.com/coollabsio/coolify/pull/7375",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/7375"
},
{
"name": "https://github.com/0xrakan/coolify-cve-2025-66209-66213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xrakan/coolify-cve-2025-66209-66213"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451"
}
],
"source": {
"advisory": "GHSA-24mp-fc9q-c884",
"discovery": "UNKNOWN"
},
"title": "Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in PostgreSQL Init Script Filename"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66211",
"datePublished": "2025-12-23T22:00:36.081Z",
"dateReserved": "2025-11-24T23:01:29.678Z",
"dateUpdated": "2026-01-06T15:45:48.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59158 (GCVE-0-2025-59158)
Vulnerability from cvelistv5 – Published: 2026-01-05 17:44 – Updated: 2026-01-05 19:29
VLAI?
EPSS
Title
Coolify has Stored XSS in Project Name
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin’s browser context. Version 4.0.0-beta.420.7 contains a patch for the issue.
Severity ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.420.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59158",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:28:28.957997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:29:34.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.420.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin\u2019s browser context. Version 4.0.0-beta.420.7 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T17:44:41.498Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-h52r-jxv9-9vhf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-h52r-jxv9-9vhf"
}
],
"source": {
"advisory": "GHSA-h52r-jxv9-9vhf",
"discovery": "UNKNOWN"
},
"title": "Coolify has Stored XSS in Project Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59158",
"datePublished": "2026-01-05T17:44:41.498Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2026-01-05T19:29:34.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59157 (GCVE-0-2025-59157)
Vulnerability from cvelistv5 – Published: 2026-01-05 17:41 – Updated: 2026-01-05 19:38
VLAI?
EPSS
Title
Coolify has Git Repository RCE
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue.
Severity ?
10 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.420.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59157",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:38:13.745899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:38:25.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.420.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T17:41:29.557Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3"
}
],
"source": {
"advisory": "GHSA-5cg9-38qj-8mc3",
"discovery": "UNKNOWN"
},
"title": "Coolify has Git Repository RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59157",
"datePublished": "2026-01-05T17:41:29.557Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2026-01-05T19:38:25.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64423 (GCVE-0-2025-64423)
Vulnerability from cvelistv5 – Published: 2026-01-05 20:41 – Updated: 2026-01-05 21:48
VLAI?
EPSS
Title
Coolify has a Privilege Escalation - low privileged users can see and use admin invitation links
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
<= 4.0.0-beta.434
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64423",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T21:08:10.597936Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:48:48.774Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.0.0-beta.434"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before the legitimate recipient does, they are able to log in as an administrator, meaning they have successfully escalated their privileges. As of time of publication, it is unclear if a patch is available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:41:37.443Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4fqm-797g-7m6j"
}
],
"source": {
"advisory": "GHSA-4fqm-797g-7m6j",
"discovery": "UNKNOWN"
},
"title": "Coolify has a Privilege Escalation - low privileged users can see and use admin invitation links"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64423",
"datePublished": "2026-01-05T20:41:37.443Z",
"dateReserved": "2025-11-03T22:12:51.364Z",
"dateUpdated": "2026-01-05T21:48:48.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66209 (GCVE-0-2025-66209)
Vulnerability from cvelistv5 – Published: 2025-12-23 21:42 – Updated: 2026-01-06 15:37
VLAI?
EPSS
Title
Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in Database Backup
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
Severity ?
10 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.451
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66209",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T15:51:55.650844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T15:51:59.319Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.451"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in backup operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T15:37:11.392Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-vm5p-43qh-7pmq"
},
{
"name": "https://github.com/coollabsio/coolify/pull/7375",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/7375"
},
{
"name": "https://github.com/0xrakan/coolify-cve-2025-66209-66213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xrakan/coolify-cve-2025-66209-66213"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451"
}
],
"source": {
"advisory": "GHSA-vm5p-43qh-7pmq",
"discovery": "UNKNOWN"
},
"title": "Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in Database Backup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66209",
"datePublished": "2025-12-23T21:42:18.324Z",
"dateReserved": "2025-11-24T23:01:29.678Z",
"dateUpdated": "2026-01-06T15:37:11.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66212 (GCVE-0-2025-66212)
Vulnerability from cvelistv5 – Published: 2025-12-23 22:04 – Updated: 2026-01-06 15:45
VLAI?
EPSS
Title
Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in Dynamic Proxy Configuration Filename
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Proxy configuration filenames are passed to shell commands without proper escaping, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.451
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66212",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T14:56:50.272895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T14:56:57.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.451"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Proxy configuration filenames are passed to shell commands without proper escaping, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T15:45:54.382Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q7rg-2j7p-83gp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q7rg-2j7p-83gp"
},
{
"name": "https://github.com/coollabsio/coolify/pull/7375",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/7375"
},
{
"name": "https://github.com/0xrakan/coolify-cve-2025-66209-66213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xrakan/coolify-cve-2025-66209-66213"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451"
}
],
"source": {
"advisory": "GHSA-q7rg-2j7p-83gp",
"discovery": "UNKNOWN"
},
"title": "Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in Dynamic Proxy Configuration Filename"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66212",
"datePublished": "2025-12-23T22:04:18.883Z",
"dateReserved": "2025-11-24T23:01:29.678Z",
"dateUpdated": "2026-01-06T15:45:54.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66213 (GCVE-0-2025-66213)
Vulnerability from cvelistv5 – Published: 2025-12-23 22:06 – Updated: 2026-01-06 15:46
VLAI?
EPSS
Title
Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in File Storage Directory Mount Path
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.451
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T14:55:47.032574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T14:55:53.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.451"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. The file_storage_directory_source parameter is passed directly to shell commands without proper sanitization, enabling full remote code execution on the host system. Version 4.0.0-beta.451 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T15:46:01.098Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-cj2c-9jx8-j427",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-cj2c-9jx8-j427"
},
{
"name": "https://github.com/coollabsio/coolify/pull/7375",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/7375"
},
{
"name": "https://github.com/0xrakan/coolify-cve-2025-66209-66213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xrakan/coolify-cve-2025-66209-66213"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451"
}
],
"source": {
"advisory": "GHSA-cj2c-9jx8-j427",
"discovery": "UNKNOWN"
},
"title": "Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in File Storage Directory Mount Path"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66213",
"datePublished": "2025-12-23T22:06:38.995Z",
"dateReserved": "2025-11-24T23:01:29.678Z",
"dateUpdated": "2026-01-06T15:46:01.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64420 (GCVE-0-2025-64420)
Vulnerability from cvelistv5 – Published: 2026-01-05 19:20 – Updated: 2026-01-05 19:30
VLAI?
EPSS
Title
Coolify members can see private key of root user
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.
Severity ?
10 (Critical)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
<= 4.0.0-beta.434
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64420",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:29:04.180478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:30:10.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.0.0-beta.434"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:20:24.392Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qwxj-qch7-whpc"
}
],
"source": {
"advisory": "GHSA-qwxj-qch7-whpc",
"discovery": "UNKNOWN"
},
"title": "Coolify members can see private key of root user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64420",
"datePublished": "2026-01-05T19:20:24.392Z",
"dateReserved": "2025-11-03T22:12:51.363Z",
"dateUpdated": "2026-01-05T19:30:10.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64425 (GCVE-0-2025-64425)
Vulnerability from cvelistv5 – Published: 2026-01-05 20:49 – Updated: 2026-01-05 21:48
VLAI?
EPSS
Title
Coolify has host header injection in forgot password
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker's server, allowing the attacker to use it to change the victim's password and takeover their account. As of time of publication, it is unclear if a patch is available.
Severity ?
CWE
- CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
<= 4.0.0-beta.434
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64425",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T21:07:55.254069Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:48:36.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.0.0-beta.434"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will receive a password reset email, with a link to the malicious host. If the victim clicks this link, their reset token is sent to the attacker\u0027s server, allowing the attacker to use it to change the victim\u0027s password and takeover their account. As of time of publication, it is unclear if a patch is available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-644",
"description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:49:10.727Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-f737-2p93-g2cw"
},
{
"name": "https://drive.google.com/file/d/1I5sJHcpetJbKlwVS2usAD7qmgH37Y4rw/view?usp=drive_link",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1I5sJHcpetJbKlwVS2usAD7qmgH37Y4rw/view?usp=drive_link"
}
],
"source": {
"advisory": "GHSA-f737-2p93-g2cw",
"discovery": "UNKNOWN"
},
"title": "Coolify has host header injection in forgot password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64425",
"datePublished": "2026-01-05T20:49:10.727Z",
"dateReserved": "2025-11-03T22:12:51.364Z",
"dateUpdated": "2026-01-05T21:48:36.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64421 (GCVE-0-2025-64421)
Vulnerability from cvelistv5 – Published: 2026-01-05 19:42 – Updated: 2026-01-05 20:06
VLAI?
EPSS
Title
Coolify has a privilege escalation - low privileged user can invite themselves as an admin user
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks the invite button a second time, it actually works. This way, a low privileged user can invite themselves as an administrator to the Coolify instance. After the high privileged user is invited, the attacker can initiate a password reset and log in with the new admin. As of time of publication, it is unclear if a patch is available.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
<= 4.0.0-beta.434
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64421",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:04:28.996644Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:06:08.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.0.0-beta.434"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if the attacker clicks the invite button a second time, it actually works. This way, a low privileged user can invite themselves as an administrator to the Coolify instance. After the high privileged user is invited, the attacker can initiate a password reset and log in with the new admin. As of time of publication, it is unclear if a patch is available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:42:46.699Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4p6r-m39m-9cm9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-4p6r-m39m-9cm9"
},
{
"name": "https://drive.google.com/file/d/1YZHFgiZv_k9p9909A63DAErsTsh8K1rc/view?usp=drive_link",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1YZHFgiZv_k9p9909A63DAErsTsh8K1rc/view?usp=drive_link"
}
],
"source": {
"advisory": "GHSA-4p6r-m39m-9cm9",
"discovery": "UNKNOWN"
},
"title": "Coolify has a privilege escalation - low privileged user can invite themselves as an admin user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64421",
"datePublished": "2026-01-05T19:42:46.699Z",
"dateReserved": "2025-11-03T22:12:51.364Z",
"dateUpdated": "2026-01-05T20:06:08.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64424 (GCVE-0-2025-64424)
Vulnerability from cvelistv5 – Published: 2026-01-05 20:45 – Updated: 2026-01-05 21:48
VLAI?
EPSS
Title
Colify has command injection vulnerability in project git source
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
<= 4.0.0-beta.434
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64424",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T21:08:03.817919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:48:42.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qx24-jhwj-8w6x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.0.0-beta.434"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user (member) to execute system commands as root on the Coolify instance. As of time of publication, it is unclear if a patch is available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:45:09.995Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qx24-jhwj-8w6x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-qx24-jhwj-8w6x"
},
{
"name": "https://drive.google.com/file/d/1rk7AYxNDkJUwo8uWbzX62PpBxpDYeyrZ/view?usp=drive_link",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/1rk7AYxNDkJUwo8uWbzX62PpBxpDYeyrZ/view?usp=drive_link"
}
],
"source": {
"advisory": "GHSA-qx24-jhwj-8w6x",
"discovery": "UNKNOWN"
},
"title": "Colify has command injection vulnerability in project git source"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64424",
"datePublished": "2026-01-05T20:45:09.995Z",
"dateReserved": "2025-11-03T22:12:51.364Z",
"dateUpdated": "2026-01-05T21:48:42.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-59955 (GCVE-0-2025-59955)
Vulnerability from cvelistv5 – Published: 2026-01-05 17:46 – Updated: 2026-01-05 17:59
VLAI?
EPSS
Title
Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/members` API endpoint
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
<= 4.0.0-beta.428
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59955",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T17:57:31.664806Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T17:59:28.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.0.0-beta.428"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allows authenticated team members to access a highly sensitive `email_change_code` from other users on the same team. This code is intended for a single-use email change verification and should be kept secret. Its exposure could enable a malicious actor to perform an unauthorized email address change on behalf of the victim. As of time of publication, no known patched versions exist."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-214",
"description": "CWE-214: Invocation of Process Using Visible Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T17:46:56.334Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-927g-56xp-6427"
}
],
"source": {
"advisory": "GHSA-927g-56xp-6427",
"discovery": "UNKNOWN"
},
"title": "Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/members` API endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59955",
"datePublished": "2026-01-05T17:46:56.334Z",
"dateReserved": "2025-09-23T14:33:49.506Z",
"dateUpdated": "2026-01-05T17:59:28.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66210 (GCVE-0-2025-66210)
Vulnerability from cvelistv5 – Published: 2025-12-23 21:49 – Updated: 2026-01-06 15:45
VLAI?
EPSS
Title
Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in Database Import
Summary
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| coollabsio | coolify |
Affected:
< 4.0.0-beta.451
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T15:28:43.612795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T15:28:51.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coolify",
"vendor": "coollabsio",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.0-beta.451"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T15:45:42.344Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh"
},
{
"name": "https://github.com/coollabsio/coolify/pull/7375",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/pull/7375"
},
{
"name": "https://github.com/0xrakan/coolify-cve-2025-66209-66213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xrakan/coolify-cve-2025-66209-66213"
},
{
"name": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451"
}
],
"source": {
"advisory": "GHSA-q33h-22xm-4cgh",
"discovery": "UNKNOWN"
},
"title": "Coolify Vulnerable to Authenticated Remote Code Execution via Command Injection in Database Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66210",
"datePublished": "2025-12-23T21:49:44.710Z",
"dateReserved": "2025-11-24T23:01:29.678Z",
"dateUpdated": "2026-01-06T15:45:42.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…