← voltar
CVE-2026-42143

Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers

CVSS 8.8 HIGHEPSS 0.4%CWE-78
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.8EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
07 jul 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to inject shell metacharacters and execute commands as root when volume operations are triggered. This issue appears to be fixed in version 4.0.0-beta.471.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
coollabsio · coolify