Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh
Issue Tracking x_refsource_misc
https://github.com/coollabsio/coolify/pull/7375
Exploit, Third Party Advisory x_refsource_misc
https://github.com/0xrakan/coolify-cve-2025-66209-66213
Release Notes x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
Scores
CVSS v3
8.8
EPSS
0.0047
EPSS Percentile
64.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
coollabs/coolify
4.0.0 beta100 (50 CPE variants)
Published
Dec 23, 2025
Tracked Since
Feb 18, 2026