Total CVEs

143,081

Critical Severity

4,044

High Severity

14,530

Last 7 Days

1,278
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 21 - 40 of 55 CVEs
CVE-2026-34034 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell synt...

Vendor: coollabsio
Product: coolify
Published: Jul 07, 2026
Source: NVD
CVE-2026-42204 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELL_SAFE_COMMAND_PATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an aut...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-42153 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled database settings (postgres_user and postgres_db) in shell-form commands, allowing an authenticated user to ...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping, allowing an attacke...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-41899 MEDIUM - 6.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling spam...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-34599 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership (lowest privilege member role) to execute a...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-34167 MEDIUM - 5.0

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's #[Locked] attribute. It loads activities via Activity::find($this->acti...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-34153 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, LocalFileVolume::saveStorageOnServer builds shell commands using unescaped fs_path and parent_dir values before validation, and submitFileStorage does not validate the user-co...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-34050 MEDIUM - 6.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configure b...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-32718 MEDIUM - 6.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and servers...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-34038 CRITICAL - 9.9

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution and...

Vendor: coollabsio
Product: coolify
Published: Jul 06, 2026
Source: NVD
CVE-2026-27957 HIGH - 8.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH use...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27956 MEDIUM - 4.3

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate ...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27955 MEDIUM - 6.6

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the executeInDocker() helper wraps commands in bash -c '{$command}' without escaping single quotes. User-controlled docker_compose_custom_build_command and docker_co...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27883 MEDIUM - 5.0

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27882 MEDIUM - 4.8

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-27881 MEDIUM - 5.0

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any...

Vendor: coollabsio
Product: coolify
Published: Jun 30, 2026
Source: NVD
CVE-2026-34592 HIGH - 7.7

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying th...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD
CVE-2026-41896 HIGH - 7.5

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify's webhook endpoints to validate incoming requests, is nullable with no...

Vendor: coollabsio
Product: coolify
Published: Jun 29, 2026
Source: NVD