216.73.217.22

CVE-2025-59158

· Published 05/01/2026 18:15 · Modified 05/01/2026 18:15

Labels: CVE-2025-59158 2026-01-05CVE-2025-59158CWE-116[email protected]

Essential information

Published
05/01/2026 18:15
Modified
05/01/2026 18:15
Author
Creator
CVSS
9.4 CRITICAL (v3) 9.4 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin’s browser context. Version 4.0.0-beta.420.7 contains a patch for the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
coolify / coolify cpe:2.3:a:coolify:coolify:<4.0.0-beta.420.7:*:*:*:*:*:*:*

References