Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-facing web app, low-privileged authenticated user who can set health checks (PR:L), no interaction, and shell execution yields full C/I/A within the unchanged deployment scope.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generate_healthcheck_commands() function directly interpolated the health_check_host, health_check_method, and health_check_path parameters into shell commands without proper sanitization, allowing authenticated users to execute arbitrary commands inside deployment containers. This issue is fixed in version 4.0.0-beta.469.
AnalysisAI
Authenticated command injection in Coolify (self-hosted PaaS) before 4.0.0-beta.469 allows a logged-in user to run arbitrary shell commands inside deployment containers by supplying malicious health-check parameters. The generate_healthcheck_commands() routine in ApplicationDeploymentJob.php interpolates the health_check_host, health_check_method, and health_check_path values straight into a shell command line, so any user able to configure an application's health check gains OS command execution during deployment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Coolify account with permission to create or edit an application and set its health-check configuration (PR:L), and requires that a deployment be run so that generate_healthcheck_commands() constructs the health-check shell command using the attacker-supplied health_check_host, health_check_method, or health_check_path values. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (base 8.8, High) is internally consistent with the description: network-reachable web app, low complexity, low privilege (an authenticated but non-admin user who can define an application and its health check), no user interaction, and full C/I/A impact from arbitrary command execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Coolify user with rights to configure an application sets the health-check path (or host/method) to a value such as `/;$(id > /tmp/pwned)` and triggers a deployment. During deployment, generate_healthcheck_commands() interpolates that value into a shell command, executing the injected payload inside the deployment container with the deploy process's privileges. … |
| Remediation | Vendor-released patch: 4.0.0-beta.469 - upgrade Coolify to v4.0.0-beta.469 or later, which sanitizes the health_check_host, health_check_method, and health_check_path inputs (see release https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.469 and advisory https://github.com/coollabsio/coolify/security/advisories/GHSA-4fhp-xqqp-w7vv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: restrict application health-check configuration permissions to senior DevOps/platform engineers only; disable health checks if not operationally required. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42657