CVE-2025-34157

Name of the Vulnerable Software and Affected Versions: Coolify versions prior to v4.0.0-beta.420.6

Description: Coolify is susceptible to a stored cross-site scripting (XSS) attack within the project creation workflow. An authenticated user possessing low privileges can create a project utilizing a maliciously crafted name that incorporates embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload is executed within the administrator’s browser context, potentially leading to a full compromise of the Coolify instance. This compromise may include the theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.

Recommendations: Update to Coolify version 4.0.0-beta.420.6 or later.