Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitable over the network via the web UI (AV:N/AC:L), requires a low-privilege authenticated account able to define init scripts (PR:L), and yields host code execution with full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, PostgreSQL initialization script (generate_init_scripts() method in app/Actions/Database/StartPostgresql.php) filename handling did not sufficiently restrict paths, allowing an authenticated user to write files outside the intended directory and achieve command execution through database initialization. This issue is fixed in version 4.0.0-beta.474.
AnalysisAI
Path traversal leading to remote code execution in Coolify (self-hosted PaaS) before 4.0.0-beta.474 allows an authenticated user to abuse insufficient filename sanitization in the PostgreSQL initialization-script generator (generate_init_scripts() in app/Actions/Database/StartPostgresql.php) to write files outside the intended directory and execute commands during database init. Any user with sufficient privileges to provision a PostgreSQL resource can escalate to code execution on the Coolify host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated Coolify account (PR:L) with the ability to create or configure a PostgreSQL database resource and control an initialization-script filename processed by generate_init_scripts() in StartPostgresql.php. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H): network-reachable via the Coolify web UI, low attack complexity, and only low-privilege authentication (PR:L) required, with full confidentiality, integrity, and availability impact consistent with host-level code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged but authenticated Coolify user creates a new PostgreSQL database and supplies an initialization script whose filename contains path-traversal sequences, causing Coolify to write attacker-controlled content outside the intended init directory. When the database container initializes, the planted script executes, giving the attacker command execution in the database/host context. … |
| Remediation | Vendor-released patch: 4.0.0-beta.474 - upgrade Coolify to that version or later (https://github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474), which corrects the filename handling in generate_init_scripts(); this is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Coolify installations and identify versions < 4.0.0-beta.474; immediately restrict database provisioning privileges to only critical personnel and require additional authentication. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41979