Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
3.3 LOW
CVE-2026-42201 — Coolify: OS Command Injection via Database Credential Fields in Docker Compose Service Co…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields (redis_password, keydb_password, dragonfly_pass…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34158 — Coolify: Command injection via single-quote breakout in Docker Compose custom commands

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker() helper wraps user-controlled commands in single quot…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
2.7 LOW
CVE-2026-27844 — Gallagher Command Centre Controller Uncaught Exception Denial of Service

Uncaught Exception (CWE-248) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authenticated and authorized operator to trigger a Controller restart by sending specific re…

controller_7000 | Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
2.7 LOW
CVE-2026-27790 — Gallagher Command Centre T20 Readers Uncaught Exception Denial of Service

Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version …

Remote | Denial of Service
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-26053 — Command Centre Server Incorrect Privilege Assignment

An Incorrect Privilege Assignment (CWE-266) vulnerability in the Command Centre Server allows an authenticated operator with limited privileges to perform some operations that they would not normally…

Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-42200 — Coolify: PostgreSQL Init Script Path Traversal Leads to Arbitrary File Write and Root RCE

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Ac…

coolify | Remote | Path Traversal
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.1 LOW
CVE-2026-42172 — Coolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain acces…

coolify | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.9 MEDIUM
CVE-2026-42147 — Coolify: SSRF via S3 Storage Endpoint in testConnection()

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, S3 storage endpoint validation only checks URL format and testConnection()…

coolify | Remote | Server-Side Request Forgery
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.1 LOW
CVE-2026-42145 — Coolify: File Upload Without Type or Size Validation in Database Backup Restore

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for d…

coolify | Remote | Misconfiguration
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-42143 — Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell comman…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
5.3 MEDIUM
CVE-2026-34198 — Coolify: Password reset link poisoning via X-Forwarded-Host header spoofing

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting…

coolify | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.0 HIGH
CVE-2026-34171 — Coolify: Account takeover via CSRF-able GET endpoint that resets password to attacker-kno…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/{uuid} endpoint can perform a state-changing password…

coolify | Remote | Authentication
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
4.3 MEDIUM
CVE-2026-34170 — Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp api_url field is used as the base URL for server-side HTTP r…

coolify | Remote | Server-Side Request Forgery
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34168 — Coolify: Command injection via unsanitized persistent storage name in docker volume comma…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker …

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34152 — Coolify: Command Injection via Newline in Pre/Post Deployment Commands (Heredoc Transport)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, pre-deployment and post-deployment commands are single-quote escaped but t…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
3.3 LOW
CVE-2026-34149 — Coolify: Authenticated Host-Level RCE via Unescaped Database Credentials in Backup Jobs

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and Mo…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34058 — Coolify: OS Command Injection via Unmanaged Container Operations - Remote Code Execution

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods (startUnman…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
8.8 HIGH
CVE-2026-34057 — Coolify: Authenticated Remote Code Execution via Command Injection in Database Import Con…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component (app/Livewire/Project/Database/Impo…

coolify | Remote | Injection
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.9 CRITICAL
CVE-2026-34048 — Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileg…

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not e…

coolify | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
9.9 CRITICAL
CVE-2026-34047 — Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authoriza…

coolify | Remote | Authorization
Jul 07, 2026 Jul 07, 2026
Jul 07, 2026
Jul 07, 2026
Showing 20 of 7588 Results