RCE in Coollabsio Coolify

CVE-2025-66210

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with ap…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.007 (71.4th percentile) — read the EPSS interpretation.

Affected products

Coollabsio Coolify — versions < 4.0.0-beta.451

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/coollabsio/coolify/security/advisories/GHSA-q33h-22xm-4cgh (x_refsource_CONFIRM)
https://github.com/coollabsio/coolify/pull/7375 (x_refsource_MISC)
https://github.com/0xrakan/coolify-cve-2025-66209-66213 (x_refsource_MISC)
https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451 (x_refsource_MISC)