Command Injection Vulnerability in Coolify Server Management Tool
CVE-2026-27955

6.6MEDIUM

Key Information:

Vendor: Coollabsio
Status: Coolify
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-27955?

Coolify, an open-source tool designed for managing servers, applications, and databases, has a command injection vulnerability in its executeInDocker() helper. This occurs before version 4.0.0-beta.464, where user-controlled fields for custom build and start commands can manipulate command execution. Due to insufficient escaping of single quotes, an attacker can exploit this issue to execute arbitrary commands on the host server, outside the intended Docker container context. Upgrading to version 4.0.0-beta.464 or later mitigates this vulnerability.

Affected Version(s)

coolify < 4.0.0-beta.464

References

https://github.com/coollabsio/coolify/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Feb 25, 2026

CVE-2026-27955 Data

JSON

Coollabsio

What is CVE-2026-27955?

Affected Version(s)

References

CVSS V3.1

Timeline