Total CVEs

143,126

Critical Severity

4,045

High Severity

14,563

Last 7 Days

1,288
Quick preset (or use dates below)
Clear Filters
Showing 1 - 20 of 72 CVEs

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse_admin_user, clickhouse_admin_password, postgres_user, mysql_user) are validated only...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34158 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a ...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-42200 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing a...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474.

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-42147 MEDIUM - 4.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection() sends a server-side request to the configured endpoint, allowing an authenticated user with storage ...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for database backup restore uploads did not enforce file type or size validation, allowing an authenticate...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-42143 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to in...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34198 MEDIUM - 5.3

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting X-Forwarded-Host from any source. The TrustHosts middleware, intended to prevent host head...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34171 HIGH - 8.0

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit ...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34170 MEDIUM - 4.3

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a Gi...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34168 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a storag...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34152 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but then sent through SSH heredoc transport that preserves newlines, allowing an authenticated user to inj...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an au...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34058 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnmanaged, stopUnmanaged, restartUnmanaged) that accept a container ID parameter directly from the browser...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34057 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Import.php) allows client-controlled container and server properties to reach shell commands without lock...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34048 CRITICAL - 9.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes an...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34047 CRITICAL - 9.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources outsid...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34044 HIGH - 7.7

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by ...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34037 CRITICAL - 9.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an authentic...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-34035 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell commands without sufficient encoding, allowing an authenticated user to inject commands executed on the ho...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD