10
CVE-2025-64420 - Coolify members can see private key of root user
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and auβ¦
9.7
CVE-2025-64419 - Coolify vulnerable to command injection via docker-compose.yaml parameters
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.445, parameters coming from docker-compose.yaml are not sanitized when used in commands. If a victim user creates an application from an attacker repository (using build pβ¦
7.1
CVE-2025-61781 - GraphQL IDOR allows authenticated user to delete workspace content of other users
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation lacβ¦
5.7
CVE-2025-59955 - Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/membersβ¦
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the `/api/v1/teams/{team_id}/members` and `/api/v1/teams/current/members` API endpoints allowβ¦
9.4
CVE-2025-59158 - Coolify has Stored XSS in Project Name
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.gβ¦
10
CVE-2025-59157 - Coolify has Git Repository RCE
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, the Git Repository field during project creation is vulnerable to command injection. User input is not properly sanitized, allowing attackers to inject arbitrary shβ¦
9.4
CVE-2025-59156 - Coolify has Docker Compose Injection issue
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.420.7, a Remote Code Execution (RCE)*vulnerability exists in Coolify's application deployment workflow. This flaw allows a low-privileged member to inject arbitrary Dockerβ¦
8.8
CVE-2025-55204 - muffon has One-click Remote Code Execution via XSS and Custom URL Handling
muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clβ¦
5.3
CVE-2025-10933 - Silicon Labs Z-Wave Protocol Controller Integer underflow vulnerability leads to out of bounds read
An integer underflow vulnerability in the Silicon Labs Z-Wave Protocol Controller can lead to out of bounds memory reads.
9.3
CVE-2025-39484 - WordPress Entrada Theme <= 5.7.7 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada allows SQL Injection.This issue affects Entrada: from n/a through 5.7.7.