CVE-2025-59156HIGH 8.8EPSS p56.6%

CVE-2025-59156CVE-2025-59156

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Docker Compose directives during project creation or updates. By defining a malicious service that mounts the host filesystem, an attacker can achieve root-level command execution on the host OS, completely bypassing container isolation. Version 4.0.0-beta.420.7 contains a patch for the issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.95% probability of exploitation · percentile 56.6% · 2026-06-18T12:00:27Z
Published2026-01-05
Last modified2026-01-12

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/coollabsio/coolify/security/advisories/GHSA-h5xw-7xvp-xrxr

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-34159
CVE
CVE-2025-64419
CVE
CVE-2025-59157
CVE
CVE-2025-66212
CVE
CVE-2025-34161
CVE
CVE-2025-66213
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.