Impact
CVE-2026-12815 is an operating‑system command injection flaw in the Image Name Handler of coollabsio coolify 4.0.0. By sending a crafted image name value, a remote attacker can cause the application to execute arbitrary shell commands, compromising confidentiality, integrity, and availability of the underlying host system. The weakness corresponds to CWE‑77 and CWE‑78.
Affected Systems
The affected product is coollabsio coolify version 4.0.0. Versions 4.1.2 and later include improved validation for image, branch, proxy, and deployment inputs, thereby fixing the vulnerability. All earlier releases, including 4.0.0, remain vulnerable.
Risk and Exploitability
The CVSS score of 5.3 places this vulnerability in the medium severity range, while the EPSS score of 1% indicates a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, and the information available suggests it can be exploited remotely by sending a crafted image name to an exposed endpoint; no prior local privilege or pre‑existing access is required. An attacker who can interact with the application may obtain complete control over the host system through command execution.
OpenCVE Enrichment