Command Injection Vulnerability in Coolify by Coollabs
CVE-2026-42148

3.8LOW

Key Information:

Vendor

Coollabsio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-42148?

Coolify, an open-source server management tool, has a vulnerability in the buildHelperImage method found in app/Livewire/Settings/Index.php. This flaw allows an attacker to manipulate the dev_helper_version field, enabling them to construct and execute arbitrary commands on the server during the Docker image build process. This risk is particularly pronounced in development environments where user inputs are not adequately validated. The issue has been resolved in version 4.0.0-beta.474.

Affected Version(s)

coolify < 4.0.0-beta.474

References

CVSS V3.1

Score:
3.8
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.