CVE-2025-66211

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.451

Description Coolify is a self-hostable tool for managing servers, applications, and databases. A command injection issue exists in the handling of PostgreSQL Init Script Filenames. An authenticated user with application/service management permissions can execute arbitrary commands as root on managed servers. The issue occurs because PostgreSQL initialization script filenames are passed to shell commands without proper validation, enabling remote code execution.

Recommendations Update to version 4.0.0-beta.451 or later.