CVE-2026-34152

HIGH

Coolify: Command Injection via Newline in Pre/Post Deployment Commands (Heredoc Transport)

Title source: cna
STIX 2.1

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inject additional shell statements that execute on the remote server during deployment. This issue is fixed in version 4.0.0-beta.471.

Scores

CVSS v3 8.8
EPSS 0.0037
EPSS Percentile 29.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
coollabsio/coolify < 4.0.0-beta.471
Published Jul 07, 2026
Tracked Since Jul 07, 2026