Arbitrary Content Injection Vulnerability in Coolify Tool
CVE-2026-41899
6.5MEDIUM
What is CVE-2026-41899?
Coolify, a self-hostable application management tool, suffers from an authentication vulnerability in its feedback API prior to version 4.0.0-beta.474. The lack of authentication and input validation enables malicious users to send arbitrary content through the POST /api/feedback endpoint. This flaw allows for potential spam and content injection, as sensitive information can be relayed to a Discord webhook without any restrictions. The issue has been resolved in the latest version, enhancing security and protecting against misuse.
Affected Version(s)
coolify < 4.0.0-beta.474
