CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24025 – Coolify Vulnerable to Reflected XSS on Tag Search
https://notcve.org/view.php?id=CVE-2025-24025
24 Jan 2025 — Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.380, the tags page allows users to search for tags. If the search does not return any results, the query gets reflected on the error modal, which leads to cross-site scripting. Version 4.0.0-beta.380 fixes the issue. • https://github.com/coollabsio/coolify/security/advisories/GHSA-f2gf-jvmh-vq73 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22612 – Coolify Vulnerable to Private Key Enumeration on Onboarding resulting in Remote Command Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-22612
24 Jan 2025 — Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.374, the missing authorization allows an authenticated user to retrieve any existing private keys on a coolify instance in plain text. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can execute arbitrary commands on the remote server. Version 4.0.0-beta.374 fixes the issue. • https://github.com/coollabsio/coolify/security/advisories/GHSA-wg8x-cgq4-vjxj • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22611 – Coolify vulnerable to Privilege Escalation resulting in Remote Command Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-22611
24 Jan 2025 — Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue. • https://github.com/coollabsio/coolify/security/advisories/GHSA-9w72-9qww-qj6g • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22610 – Coolify Vulnerable to OAuth Secrets Leak
https://notcve.org/view.php?id=CVE-2025-22610
24 Jan 2025 — Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the global coolify instance OAuth configuration. This exposes the "client id" and "client secret" for every custom OAuth provider. The attacker can also modify the global OAuth configuration. Version 4.0.0-beta.361 fixes the issue. • https://github.com/coollabsio/coolify/security/advisories/GHSA-496v-9q38-2x6c • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22609 – Coolify Vulnerable to Private Key Hijacking / Remote Command Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-22609
24 Jan 2025 — Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to attach any existing private key on a coolify instance to his own server. If the server configuration of IP / domain, port (most likely 22) and user (root) matches with the victim's server configuration, then the attacker can use the `Terminal` feature and execute arbitrary commands on the victim's server. Version 4.0.0... • https://github.com/coollabsio/coolify/security/advisories/GHSA-3w2c-jfr2-9pg9 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22608 – Coolify Vulnerable to Revocation of Arbitrary Team Invitations (DOS)
https://notcve.org/view.php?id=CVE-2025-22608
24 Jan 2025 — Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to revoke any team invitations on a Coolify instance by only providing a predictable and incrementing ID, resulting in a Denial-of-Service attack (DOS). Version 4.0.0-beta.361 fixes the issue. • https://github.com/coollabsio/coolify/security/advisories/GHSA-qmxm-wvm9-wvxx • CWE-639: Authorization Bypass Through User-Controlled Key CWE-862: Missing Authorization •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22607 – Coolify Vulnerable to GitHub / GitLab OAuth Secrets Leak
https://notcve.org/view.php?id=CVE-2025-22607
24 Jan 2025 — Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to fetch the details page for any GitHub / GitLab configuration on a Coolify instance by only knowing the UUID of the model. This exposes the "client id", "client secret" and "webhook secret." Version 4.0.0-beta.361 fixes this issue. • https://github.com/coollabsio/coolify/security/advisories/GHSA-8w24-gfgq-jg72 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22606 – Coolify Command Injection Vulnerability in Project Name
https://notcve.org/view.php?id=CVE-2025-22606
24 Jan 2025 — Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In version 4.0.0-beta.358 and possibly earlier versions, when creating or updating a "project," it is possible to inject arbitrary shell commands by altering the project name. If a name includes unescaped characters, such as single quotes (`'`), it breaks out of the intended command structure, allowing attackers to execute arbitrary commands on the host system. This vulnerability allows attackers to execute a... • https://github.com/coollabsio/coolify/security/advisories/GHSA-ccp8-v65g-m526 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •