Jan 08, 2026Ravie LakshmananVulnerability / Container Safety
Cybersecurity researchers have disclosed particulars of a number of critical-severity safety flaws affecting Coolify, an open-source, self-hosting platform, that might lead to authentication bypass and distant code execution.
The listing of vulnerabilities is as follows –
CVE-2025-66209 (CVSS rating: 10.0) – A command injection vulnerability within the database backup performance permits any authenticated person with database backup permissions to execute arbitrary instructions on the host server, leading to container escape and full server compromise
CVE-2025-66210 (CVSS rating: 10.0) – An authenticated command injection vulnerability within the database import performance permits attackers to execute arbitrary instructions on managed servers, resulting in full infrastructure compromise
CVE-2025-66211 (CVSS rating: 10.0) – A command injection vulnerability within the PostgreSQL init script administration permits authenticated customers with database permissions to execute arbitrary instructions as root on the server
CVE-2025-66212 (CVSS rating: 10.0) – An authenticated command injection vulnerability within the Dynamic Proxy Configuration performance permits customers with server administration permissions to execute arbitrary instructions as root on managed servers
CVE-2025-66213 (CVSS rating: 10.0) – An authenticated command injection vulnerability within the File Storage Listing Mount performance permits customers with utility/service administration permissions to execute arbitrary instructions as root on managed servers
CVE-2025-64419 (CVSS rating: 9.7) – A command injection vulnerability through docker-compose.yaml that permits attackers to execute arbitrary system instructions as root on the Coolify occasion
CVE-2025-64420 (CVSS rating: 10.0) – An data disclosure vulnerability that enables low-privileged customers to view the non-public key of the basis person on the Coolify occasion, permitting them to achieve unauthorized entry to the server through SSH and authenticate as the basis person utilizing the important thing
CVE-2025-64424 (CVSS rating: 9.4) – A command injection vulnerability was discovered within the git supply enter fields of a useful resource, permitting a low-privileged person (member) to execute system instructions as root on the Coolify occasion
CVE-2025-59156 (CVSS rating: 9.4) – An working system command injection vulnerability that enables a low-privileged person to inject arbitrary Docker Compose directives and obtain root-level command execution on the underlying host
CVE-2025-59157 (CVSS rating: 10.0) – An working system command injection vulnerability that enables an everyday person to inject arbitrary shell instructions that execute on the underlying server by utilizing the Git Repository discipline throughout deployment
CVE-2025-59158 (CVSS rating: 9.4) – An improper encoding or escaping of the info that enables an authenticated person with low privileges to conduct a saved cross-site scripting (XSS) assault throughout undertaking creation that is routinely executed within the browser context when an administrator later makes an attempt to delete the undertaking or its related useful resource
The next variations are impacted by the shortcomings –
CVE-2025-66209, CVE-2025-66210, CVE-2025-66211 – <= 4.0.0-beta.448 (Mounted in >= 4.0.0-beta.451)
CVE-2025-66212, CVE-2025-66213 – <= 4.0.0-beta.450 (Mounted in >= 4.0.0-beta.451)
CVE-2025-64419 – < 4.0.0-beta.436 (Mounted in >= 4.0.0-beta.445)
CVE-2025-64420, CVE-2025-64424 – <= 4.0.0-beta.434 (Repair standing unclear)
CVE-2025-59156, CVE-2025-59157, CVE-2025-59158 – <= 4.0.0-beta.420.6 (Mounted in 4.0.0-beta.420.7)
Supply: Censys
Based on knowledge from assault floor administration platform Censys, there are about 52,890 uncovered Coolify hosts as of January 8, 2026, with most of them situated in Germany (15,000), the U.S. (9,800), France (8,000), Brazil (4,200), and Finland (3,400)
Whereas there aren’t any indications that any of the issues have been exploited within the wild, it is important that customers transfer rapidly to use the fixes as quickly as potential in mild of their severity.
