CVE-2025-59158

CVSS v4.0

9.4

Critical

Vector

AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.420.7

Description Coolify is a self-hostable tool for managing servers, applications, and databases. A stored cross-site scripting (XSS) issue exists in the project creation workflow. An authenticated user with low privileges can create a project with a malicious name containing JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the administrator’s browser. The vulnerable component is the project creation workflow, where the project name is not properly sanitized. The API endpoint used for project creation is not specified. The vulnerable parameter is the project name.

Recommendations Update to Coolify version 4.0.0-beta.420.7 or later.

Exploit

Fix

Improper Encoding or Escaping of Output

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116CWE-79

Related Identifiers

CVE-2025-59158

GHSA-H52R-JXV9-9VHF

Affected Products

Coolify

CVE-2025-59158

Weakness Enumeration

Related Identifiers

Affected Products

References · 7