Authenticated Command Injection Vulnerability in Coolify Tool by Coollabs
CVE-2025-66210

9.4CRITICAL

Key Information:

Vendor

Coollabsio

Status
Coolify
Vendor
CVE Published:
23 December 2025

What is CVE-2025-66210?

Coolify, an open-source tool for server management, has a vulnerability in its Database Import functionality that allows authenticated users with certain permissions to execute arbitrary commands on the server. This is due to improper sanitization of database names that are passed directly to shell commands, leading to potential full remote code execution. The issue has been addressed in version 4.0.0-beta.451.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

coolify < 4.0.0-beta.451

References

https://github.com/coollabsio/coolify/security/advisories...
x_refsource_CONFIRM
https://github.com/coollabsio/coolify/pull/7375
x_refsource_MISC
https://github.com/0xrakan/coolify-cve-2025-66209-66213
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.