CVE-2025-59158
high-risk
Published 2026-01-05
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin’s browser context. Version 4.0.0-beta.420.7 contains a patch for the issue.
Do I need to act?
-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (1)
61
/ 100
high-risk
Severity
28/34 · Critical
Exploitability
0/34 · Minimal
Exposure
33/34 · Critical