RCE in Coollabsio Coolify

CVE-2025-59156

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This fl…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.005 (65.9th percentile) — read the EPSS interpretation.

Affected products

Coollabsio Coolify — versions < 4.0.0-beta.420.7

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr (x_refsource_CONFIRM)