Command Injection Vulnerability in Coolify by Coollabs
CVE-2026-42148
3.8LOW
What is CVE-2026-42148?
Coolify, an open-source server management tool, has a vulnerability in the buildHelperImage method found in app/Livewire/Settings/Index.php. This flaw allows an attacker to manipulate the dev_helper_version field, enabling them to construct and execute arbitrary commands on the server during the Docker image build process. This risk is particularly pronounced in development environments where user inputs are not adequately validated. The issue has been resolved in version 4.0.0-beta.474.
Affected Version(s)
coolify < 4.0.0-beta.474
