OS Command Injection in coollabsio Coolify Image Name Handler
CVE-2026-12815

5.3MEDIUM

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-12815?

A vulnerability exists in the image name handling component of Coolify version 4.0.0, allowing for OS command injection. This security flaw can potentially be exploited remotely, enabling attackers to execute arbitrary commands on the host system. Although the vendor was notified about this issue, they did not respond prior to the public disclosure. The subsequent release of version 4.1.2 included improvements in input validation to mitigate similar vulnerabilities.

Affected Version(s)

coolify 4.0.0

References

https://vuldb.com/vuln/372609

vdb-entry

https://vuldb.com/vuln/372609/cti

signaturepermissions-required

https://vuldb.com/cve/CVE-2026-12815

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

Credit

ST4R (VulDB User)

VulDB CNA Team

CVE-2026-12815 Data

JSON