Skip to main content

Docker CVE-2025-66210

HIGH
OS Command Injection (CWE-78)
2025-12-23 security-advisories@github.com
RCE Linux Docker Command Injection Coolify
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
PoC Detected
Mar 17, 2026 - 17:16 vuln.today
Public exploit code
CVE Published
Dec 23, 2025 - 22:15 nvd
HIGH 8.8

DescriptionNVD

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute arbitrary commands as root on managed servers. Database names used in import operations are passed directly to shell commands without sanitization, enabling full remote code execution. Version 4.0.0-beta.451 fixes the issue.

AnalysisAI

A command injection vulnerability in Coolify's Database Import functionality allows authenticated users with application/service management permissions to execute arbitrary system commands as root on managed servers. The vulnerability stems from unsanitized database names being passed directly to shell commands, enabling full remote code execution. A public proof-of-concept exploit is available, and with an EPSS score of 0.41% (61st percentile), this represents a moderate real-world exploitation risk for organizations using vulnerable Coolify versions.

Technical ContextAI

Coolify is an open-source server management platform that handles applications and databases. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a common but critical flaw where user-controlled input is passed to system shell commands without proper sanitization. Based on the CPE data, all Coolify versions prior to 4.0.0-beta.451 are affected, including the entire 4.0.0-beta series from beta100 through beta450. The issue specifically resides in the Database Import functionality where database names are concatenated into shell commands without escaping special characters, allowing attackers to inject additional commands.

RemediationAI

Upgrade Coolify to version 4.0.0-beta.451 or later immediately, as confirmed in the release notes at https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.451. Until patching is possible, restrict access to the Database Import functionality to only highly trusted administrators and monitor for suspicious database names containing shell metacharacters. Review user permissions and temporarily revoke application/service management permissions from untrusted users. Given the availability of public exploit code at https://github.com/0xrakan/coolify-cve-2025-66209-66213, patching should be treated as urgent.

More from same product – last 7 days

CVE-2026-47334 MEDIUM
5.5 May 28

Kernel availability loss in Ubuntu Linux 6.8, 6.17, and 7.0 can be triggered by any unprivileged local user via a defect
CVE-2026-47335 MEDIUM
5.5 May 28

Kernel panic via NULL pointer dereference in Ubuntu Linux 6.8's AppArmor notification handler allows a locally authentic
CVE-2026-47327 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel versions 6.8, 6.17, and 7.0 allows a local unprivileged user to crash th
CVE-2026-47337 LOW
3.3 May 28

NULL pointer dereference in Ubuntu Linux kernel SAUCE patches (versions 6.8, 6.17, and 7.0) allows an unprivileged local
CVE-2026-45844
May 27

In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload par

Share

CVE-2025-66210 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy