CVE-2025-59157
CRITICALCoolify < 4.0.0-beta.420.7 - Authenticated OS Command Injection via Git Repository Field
Title source: llmDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shell commands that execute on the underlying server during the deployment workflow. A regular member user can exploit this vulnerability. Version 4.0.0-beta.420.7 contains a patch for the issue.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-5cg9-38qj-8mc3
Scores
CVSS v3
9.9
EPSS
0.0180
EPSS Percentile
75.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
coollabs/coolify
4.0.0 beta100 (50 CPE variants)
Published
Jan 05, 2026
Tracked Since
Feb 18, 2026