CVE-2026-42145
LOWCoolify: File Upload Without Type or Size Validation in Database Backup Restore
Title source: cnaDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for database backup restore uploads did not enforce file type or size validation, allowing an authenticated user to upload unexpected or oversized files that could affect service availability. This issue is fixed in version 4.0.0-beta.474.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-66gv-g2w9-6wxp
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/pull/9667
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/e6a6446daeace2999fb77888a611a3271812911f
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474
Scores
CVSS v3
3.1
EPSS
0.0025
EPSS Percentile
16.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-434
CWE-770
Status
published
Products (1)
coollabsio/coolify
< 4.0.0-beta.474
Published
Jul 07, 2026
Tracked Since
Jul 07, 2026