Vendor CVEs
Coollabsio
All CVEs
29 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-12815 | 0.00 | — | 0.01 | Jun 21, 2026 | A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did… | |||
| CVE-2025-64425 | 0.00 | — | 0.00 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value.… | |||
| CVE-2025-64424 | 0.00 | — | 0.02 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user… | |||
| CVE-2025-64423 | 0.00 | — | 0.00 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before… | |||
| CVE-2025-64422 | 0.00 | — | 0.00 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header.… | |||
| CVE-2025-64421 | 0.00 | — | 0.00 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if… | |||
| CVE-2025-64420 | 0.00 | — | 0.01 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh… | |||
| CVE-2025-64419 | 0.00 | — | 0.01 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker… | |||
| CVE-2025-59955 | 0.00 | — | 0.00 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members`… | |||
| CVE-2025-59158 | 0.00 | — | 0.00 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with… | |||
| CVE-2025-59157 | 0.00 | — | 0.02 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to… | |||
| CVE-2025-59156 | 0.00 | — | 0.01 | Jan 5, 2026 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to… | |||
| CVE-2025-66213 | 0.00 | — | 0.03 | Dec 23, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service… | |||
| CVE-2025-66212 | 0.00 | — | 0.03 | Dec 23, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service… | |||
| CVE-2025-66211 | 0.00 | — | 0.03 | Dec 23, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management… | |||
| CVE-2025-66210 | 0.00 | — | 0.03 | Dec 23, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions… | |||
| CVE-2025-66209 | 0.00 | — | 0.04 | Dec 23, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions… | |||
| CVE-2025-34157 | 0.00 | — | 0.00 | Aug 27, 2025 | Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an… | |||
| CVE-2025-34159 | 0.00 | — | 0.01 | Aug 27, 2025 | Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project… | |||
| CVE-2025-34161 | 0.00 | — | 0.04 | Aug 27, 2025 | Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field… | |||
| CVE-2025-24025 | 0.00 | — | 0.00 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.380, the tags page allows users to search for tags. If the search does not return any results, the query gets reflected on the error modal, which leads… | |||
| CVE-2025-22612 | 0.00 | — | 0.01 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server… | |||
| CVE-2025-22611 | 0.00 | — | 0.00 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner… | |||
| CVE-2025-22610 | 0.00 | — | 0.00 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and… | |||
| CVE-2025-22609 | 0.00 | — | 0.01 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server… | |||
| CVE-2025-22608 | 0.00 | — | 0.00 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and… | |||
| CVE-2025-22607 | 0.00 | — | 0.00 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the details page for any GitHub / GitLab configuration on a Coolify instance by… | |||
| CVE-2025-22606 | 0.00 | — | 0.00 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If… | |||
| CVE-2025-22605 | 0.00 | — | 0.01 | Jan 24, 2025 | Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Starting in version 4.0.0-beta.18 and prior to 4.0.0-beta.253, a vulnerability in the execution of commands on remote servers allows an authenticated user to execute arbitrary… |
- CVE-2026-12815Jun 21, 2026risk 0.00cvss —epss 0.01
A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did…
- CVE-2025-64425Jan 5, 2026risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value.…
- CVE-2025-64424Jan 5, 2026risk 0.00cvss —epss 0.02
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a command injection vulnerability exists in the git source input fields of a resource, allowing a low privileged user…
- CVE-2025-64423Jan 5, 2026risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can see and use invitation links sent to an administrator. When they use the link before…
- CVE-2025-64422Jan 5, 2026risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify vstarting with version 4.0.0-beta.434, the /login endpoint advertises a rate limit of 5 requests but can be trivially bypassed by rotating the X-Forwarded-For header.…
- CVE-2025-64421Jan 5, 2026risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user (member) can invite a high privileged user. At first, the application will throw an error, but if…
- CVE-2025-64420Jan 5, 2026risk 0.00cvss —epss 0.01
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh…
- CVE-2025-64419Jan 5, 2026risk 0.00cvss —epss 0.01
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker…
- CVE-2025-59955Jan 5, 2026risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members`…
- CVE-2025-59158Jan 5, 2026risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with…
- CVE-2025-59157Jan 5, 2026risk 0.00cvss —epss 0.02
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to…
- CVE-2025-59156Jan 5, 2026risk 0.00cvss —epss 0.01
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to…
- CVE-2025-66213Dec 23, 2025risk 0.00cvss —epss 0.03
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the File Storage Directory Mount Path functionality allows users with application/service…
- CVE-2025-66212Dec 23, 2025risk 0.00cvss —epss 0.03
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Dynamic Proxy Configuration Filename handling allows users with application/service…
- CVE-2025-66211Dec 23, 2025risk 0.00cvss —epss 0.03
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management…
- CVE-2025-66210Dec 23, 2025risk 0.00cvss —epss 0.03
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions…
- CVE-2025-66209Dec 23, 2025risk 0.00cvss —epss 0.04
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Backup functionality allows users with application/service management permissions…
- CVE-2025-34157Aug 27, 2025risk 0.00cvss —epss 0.00
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an…
- CVE-2025-34159Aug 27, 2025risk 0.00cvss —epss 0.01
Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project…
- CVE-2025-34161Aug 27, 2025risk 0.00cvss —epss 0.04
Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field…
- CVE-2025-24025Jan 24, 2025risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.380, the tags page allows users to search for tags. If the search does not return any results, the query gets reflected on the error modal, which leads…
- CVE-2025-22612Jan 24, 2025risk 0.00cvss —epss 0.01
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server…
- CVE-2025-22611Jan 24, 2025risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner…
- CVE-2025-22610Jan 24, 2025risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and…
- CVE-2025-22609Jan 24, 2025risk 0.00cvss —epss 0.01
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server…
- CVE-2025-22608Jan 24, 2025risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and…
- CVE-2025-22607Jan 24, 2025risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the details page for any GitHub / GitLab configuration on a Coolify instance by…
- CVE-2025-22606Jan 24, 2025risk 0.00cvss —epss 0.00
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If…
- CVE-2025-22605Jan 24, 2025risk 0.00cvss —epss 0.01
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Starting in version 4.0.0-beta.18 and prior to 4.0.0-beta.253, a vulnerability in the execution of commands on remote servers allows an authenticated user to execute arbitrary…