CVE-2026-42200
HIGHCoolify: PostgreSQL Init Script Path Traversal Leads to Arbitrary File Write and Root RCE
Title source: cnaDescription
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue is fixed in version 4.0.0-beta.474.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coollabsio/coolify/security/advisories/GHSA-mv4c-9x67-rrmv
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/pull/9681
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/commit/1cf6c7d0aef8e0edb800ae43f44ded102397cb13
X_Refsource_Misc x_refsource_misc
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474
Scores
CVSS v3
8.8
EPSS
0.0054
EPSS Percentile
41.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (1)
coollabsio/coolify
< 4.0.0-beta.474
Published
Jul 07, 2026
Tracked Since
Jul 07, 2026