Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in PostgreSQL Init Script Filename handling allows users with application/service management permissions to execute arbitrary commands as root on managed servers. PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-24mp-fc9q-c884
Issue Tracking x_refsource_misc
https://github.com/coollabsio/coolify/pull/7375
Exploit, Third Party Advisory x_refsource_misc
https://github.com/0xrakan/coolify-cve-2025-66209-66213
Release Notes x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451
Scores
CVSS v3
8.8
EPSS
0.0047
EPSS Percentile
64.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
coollabs/coolify
4.0.0 beta100 (50 CPE variants)
Published
Dec 23, 2025
Tracked Since
Feb 18, 2026