9.7
CVE-2025-64419 - Coolify vulnerable to command injection via docker-compose.yaml parameters
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pβ¦
7.1
CVE-2025-61781 - GraphQL IDOR allows authenticated user to delete workspace content of other users
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacβ¦
5.7
CVE-2025-59955 - Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/membersβ¦
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allowβ¦
9.4
CVE-2025-59158 - Coolify has Stored XSS in Project Name
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.gβ¦
10
CVE-2025-59157 - Coolify has Git Repository RCE
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shβ¦
9.4
CVE-2025-59156 - Coolify has Docker Compose Injection issue
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Dockerβ¦
8.8
CVE-2025-55204 - muffon has One-click Remote Code Execution via XSS and Custom URL Handling
muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clβ¦
5.3
CVE-2025-10933 - Silicon Labs Z-Wave Protocol Controller Integer underflow vulnerability leads to out of bounds read
An integer underflow vulnerability in the Silicon Labs Z-Wave Protocol Controller can lead to out of bounds memory reads.
9.3
CVE-2025-39484 - WordPress Entrada Theme <= 5.7.7 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada allows SQL Injection.This issue affects Entrada: from n/a through 5.7.7.
6.5
CVE-2025-39497 - WordPress Dokan Pro plugin <= 3.14.5 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dokan Dokan Pro allows Stored XSS.This issue affects Dokan Pro: from n/a through 3.14.5.