Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.
History

Wed, 27 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 27 Aug 2025 17:00:00 +0000

Type Values Removed Values Added
Description Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin’s browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers.
Title Coolify Stored Cross-Site Scripting (XSS) in Project Name Field
Weaknesses CWE-20
CWE-79
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-08-27T17:47:18.634Z

Reserved: 2025-04-15T19:15:22.565Z

Link: CVE-2025-34157

cve-icon Vulnrichment

Updated: 2025-08-27T17:47:03.167Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-27T17:15:37.930

Modified: 2025-08-29T16:24:09.860

Link: CVE-2025-34157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.