PT-2026-56027 · Coolify · Coolify

Everping

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-42204

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Coolify versions 4.0.0-beta.471 through 4.0.0-beta.473
Description A regression in the SHELL SAFE COMMAND PATTERN allows ampersands to be used in custom Docker Compose build, start, and pre/post-deployment command fields. This enables an authenticated team member to perform shell command injection, resulting in the execution of arbitrary commands on the host system.
Recommendations Update to version 4.0.0-beta.474.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42204

Affected Products

Coolify