Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
3.1 LOW
CVE-2026-42172 — Coolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain acces…

coolify | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.9 MEDIUM
CVE-2026-42147 — Coolify: SSRF via S3 Storage Endpoint in testConnection()

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection()…

coolify | Remote | Server-Side Request Forgery
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.1 LOW
CVE-2026-42145 — Coolify: File Upload Without Type or Size Validation in Database Backup Restore

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for d…

coolify | Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-42143 — Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell comman…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-34198 — Coolify: Password reset link poisoning via X-Forwarded-Host header spoofing

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting…

coolify | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.0 HIGH
CVE-2026-34171 — Coolify: Account takeover via CSRF-able GET endpoint that resets password to attacker-kno…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password…

coolify | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.3 MEDIUM
CVE-2026-34170 — Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP r…

coolify | Remote | Server-Side Request Forgery
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34168 — Coolify: Command injection via unsanitized persistent storage name in docker volume comma…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker …

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34152 — Coolify: Command Injection via Newline in Pre/Post Deployment Commands (Heredoc Transport)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but t…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.3 LOW
CVE-2026-34149 — Coolify: Authenticated Host-Level RCE via Unescaped Database Credentials in Backup Jobs

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and Mo…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34058 — Coolify: OS Command Injection via Unmanaged Container Operations - Remote Code Execution

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnman…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34057 — Coolify: Authenticated Remote Code Execution via Command Injection in Database Import Con…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Impo…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.9 CRITICAL
CVE-2026-34048 — Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileg…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not e…

coolify | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.9 CRITICAL
CVE-2026-34047 — Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authoriza…

coolify | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
7.7 HIGH
CVE-2026-34044 — Coolify: Cross-team IDOR in logs component (resource lookup not team-scoped)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount() component looks up resources by UUID without scoping the…

coolify | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.9 CRITICAL
CVE-2026-34037 — Cross-Tenant Resource Cloning via Broken Object-Level Authorization in cloneTo()

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo() Livewire action in ResourceOperations.php authorizes the sou…

coolify | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34035 — Coolify: Host RCE via Log Drain secret/env command injection

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, log drain secret and environment values were interpolated into shell comma…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34034 — Coolify: Host RCE via Sentinel token injection

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentinel_token setting is used in shell commands without sufficient va…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
6.4 MEDIUM
CVE-2026-11328 — Exclusive Addons for Elementor <= 2.7.9.8 - Authenticated (Contributor+) Stored Cross-Sit…

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient inp…

Remote | Cross-Site Scripting
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.1 MEDIUM
CVE-2026-53648 — FOSSBilling: Downloadable product files can be overwritten through filename collisions

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.1, downloadable product files are stored using a deterministic filename-derived path. When an administrat…

Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
Showing 20 of 7583 Results