Primary

Context

Coolify Stored Cross-Site Scripting Vulnerability in Project Creation Workflow

Vulnerability

A stored cross-site scripting vulnerability has been identified in Coolify versions prior to v4.0.0-beta.420.6. This issue allows an authenticated user with low privileges to create a project with a name that includes embedded JavaScript. When an administrator tries to delete the project or its related resources, the malicious payload executes in the admin's browser, potentially compromising the entire Coolify instance. This could lead to the theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected project, particularly administrators.

Remediation

Users are advised to update to Coolify version v4.0.0-beta.420.7 or later, where this vulnerability has been fixed.

Added: Aug 27, 2025, 5:22 PM

Updated: Aug 27, 2025, 5:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.0

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.0

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Coolify Stored Cross-Site Scripting Vulnerability in Project Creation Workflow

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating