CVE-2026-42143
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled
CVSS
8.8
High
EPSS
0.4%
p35
KEV
—
Exploit Today
11
0-100
Published: Jul 7, 2026 · Last modified: Jul 7, 2026 · CWE-78
0.4%EPSS · 30 days0.4%
2026-07-072026-07-18
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.
- github.comhttps://github.com/coollabsio/coolify/commit/d2064dd4998694cda2eabd00149f7c4d1e94c699
- github.comhttps://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.471
- github.comhttps://github.com/coollabsio/coolify/security/advisories/GHSA-6pmw-6m96-4v4m
- github.comhttps://github.com/coollabsio/coolify/security/advisories/GHSA-6pmw-6m96-4v4m
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability4dCVE-2024-121210.0 CRI99.9%
KEV—80Progress Kemp LoadMaster OS Command Injection Vulnerability6dCVE-2026-398089.8 CRI99.7%
KEV—80Fortinet FortiSandbox OS Command Injection Vulnerability2dCVE-2022-262589.8 CRI99.6%
KEV—80D-Link DIR-820L Remote Code Execution Vulnerability10dCVE-2026-422718.8 HIG99.6%
KEV—80BerriAI LiteLLM Command Injection Vulnerability4dCVE-2021-252988.8 HIG99.5%
KEV—80Nagios XI OS Command Injection10d