Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable panel, low complexity, requires an authenticated user able to set database config (PR:L), no interaction; injected commands fully compromise the database container (C/I/A:H, scope unchanged).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL healthcheck command generation used attacker-controlled database settings (postgres_user and postgres_db) in shell-form commands, allowing an authenticated user to inject commands executed in the database container. This issue is fixed in version 4.0.0-beta.474.
Articles & Coverage 1
AnalysisAI
Command injection in Coolify self-hosted PaaS versions prior to 4.0.0-beta.474 allows an authenticated user to run arbitrary OS commands inside the PostgreSQL database container by supplying malicious postgres_user or postgres_db values that are interpolated into shell-form healthcheck commands (CWE-78). Because the CVSS vector is PR:L/UI:N with full high impact to confidentiality, integrity, and availability, any user able to create or configure a database can achieve container-level code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Coolify account (CVSS PR:L) with the ability to create or configure a PostgreSQL database resource, because the injection point is the attacker-controlled postgres_user and postgres_db settings used in the healthcheck command. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a network-reachable, low-complexity attack requiring only low privileges and no user interaction, yielding full compromise of the targeted database container. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged but valid Coolify account creates or edits a PostgreSQL database and sets the postgres_user or postgres_db field to a value embedding shell metacharacters (for example, a name containing a command-substitution or a chained command). When Coolify generates and runs the container healthcheck in shell form, the injected payload executes inside the database container as its runtime user. … |
| Remediation | Vendor-released patch: upgrade Coolify to version 4.0.0-beta.474 or later, which replaces the vulnerable shell-form healthcheck construction (see release https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474 and advisory https://github.com/coollabsio/coolify/security/advisories/GHSA-gvc4-f276-r88p). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: (1) Audit all users with Coolify database configuration privileges; (2) Revoke or disable non-essential database management access; (3) Enable audit logging for configuration changes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41960