PULSE
LIVE12signals / 24h
FEED
ransomkrybit reclama a euroins.bg · BG · Financial Servicesransomnova reclama a FMZ Tecnologia em Sistemas · BR · Technologyransomqilin reclama a Heartland Catfish · US · Agriculture and Food Productionransomqilin reclama a Salina Supply · US · Business Servicesransomqilin reclama a St Martha Catholic Church · US · Consumer Servicesransomqilin reclama a The Nueva School · US · Educationransomdragonforce reclama a NewNet · SA · Telecommunicationransomqilin reclama a Sicc · IT · Not Foundransomqilin reclama a KLD Labs · US · Technologyransomqilin reclama a Armara · FR · Not Foundransomqilin reclama a AK Preparedness · Business Servicesransomthreeam reclama a tws-tac.net · DE · Not Foundransomincransom reclama a v-silicon.com · TW · Technologyransomincransom reclama a FAST.COM.PH · PH · Technologyransomkrybit reclama a euroins.bg · BG · Financial Servicesransomnova reclama a FMZ Tecnologia em Sistemas · BR · Technologyransomqilin reclama a Heartland Catfish · US · Agriculture and Food Productionransomqilin reclama a Salina Supply · US · Business Servicesransomqilin reclama a St Martha Catholic Church · US · Consumer Servicesransomqilin reclama a The Nueva School · US · Educationransomdragonforce reclama a NewNet · SA · Telecommunicationransomqilin reclama a Sicc · IT · Not Foundransomqilin reclama a KLD Labs · US · Technologyransomqilin reclama a Armara · FR · Not Foundransomqilin reclama a AK Preparedness · Business Servicesransomthreeam reclama a tws-tac.net · DE · Not Foundransomincransom reclama a v-silicon.com · TW · Technologyransomincransom reclama a FAST.COM.PH · PH · Technology
← All CVEs
CVE WatchJul 7, 2026

CVE-2026-42143

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled

CVSS

8.8

High

EPSS

0.4%

p35

KEV

Exploit Today

11

0-100

Published: Jul 7, 2026 · Last modified: Jul 7, 2026 · CWE-78

EPSS · 30d
0.4%EPSS · 30 days0.4%
2026-07-072026-07-18
Technical description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-341978.8 HIG
99.9%
KEV80Apache ActiveMQ Improper Input Validation Vulnerability4d
CVE-2024-121210.0 CRI
99.9%
KEV80Progress Kemp LoadMaster OS Command Injection Vulnerability6d
CVE-2026-398089.8 CRI
99.7%
KEV80Fortinet FortiSandbox OS Command Injection Vulnerability2d
CVE-2022-262589.8 CRI
99.6%
KEV80D-Link DIR-820L Remote Code Execution Vulnerability10d
CVE-2026-422718.8 HIG
99.6%
KEV80BerriAI LiteLLM Command Injection Vulnerability4d
CVE-2021-252988.8 HIG
99.5%
KEV80Nagios XI OS Command Injection10d