๐Ÿ” CVE Alert

CVE-2026-42153

HIGH 8.8

Coolify: PostgreSQL Healthcheck Command Injection Allows Root Code Execution in Container

CVSS Score
8.8
EPSS Score
0.4%
EPSS Percentile
28th

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled database settings (postgres_user and postgres_db) in shell-form commands, allowing an authenticated user to inject commands executed in the database container. This issue is fixed in version 4.0.0-beta.474.

CWE CWE-78
Vendor coollabsio
Product coolify
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for coollabsio coolify

Be the first to know when new high vulnerabilities affecting coollabsio coolify are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

coollabsio / coolify
< 4.0.0-beta.474

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/coollabsio/coolify/security/advisories/GHSA-gvc4-f276-r88p github.com: https://github.com/coollabsio/coolify/pull/9674 github.com: https://github.com/coollabsio/coolify/commit/b74f54302b1a857c22c55fe1210d700859b0b3df github.com: https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474