Description
A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. The changelog for 4.1.2 mentions "[i]mproved image, branch, proxy, and deployment input validation".
Published: 2026-06-21
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CVE-2026-12815 is an operating‑system command injection flaw in the Image Name Handler of coollabsio coolify 4.0.0. By sending a crafted image name value, a remote attacker can cause the application to execute arbitrary shell commands, compromising confidentiality, integrity, and availability of the underlying host system. The weakness corresponds to CWE‑77 and CWE‑78.

Affected Systems

The affected product is coollabsio coolify version 4.0.0. Versions 4.1.2 and later include improved validation for image, branch, proxy, and deployment inputs, thereby fixing the vulnerability. All earlier releases, including 4.0.0, remain vulnerable.

Risk and Exploitability

The CVSS score of 5.3 places this vulnerability in the medium severity range, while the EPSS score of 1% indicates a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, and the information available suggests it can be exploited remotely by sending a crafted image name to an exposed endpoint; no prior local privilege or pre‑existing access is required. An attacker who can interact with the application may obtain complete control over the host system through command execution.

Generated by OpenCVE AI on June 24, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade coolify to version 4.1.2 or later where input validation is corrected.
  • If an upgrade is not immediately possible, restrict network access to the Image Name Handler endpoint so that only trusted users can submit image names.
  • Validate or sanitize all image name inputs on the server side, ensuring they do not contain special shell characters or path traversal sequences.

Generated by OpenCVE AI on June 24, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. The changelog for 4.1.2 mentions "[i]mproved image, branch, proxy, and deployment input validation".
Title coollabsio coolify Image Name os command injection
First Time appeared Coollabsio
Coollabsio coolify
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:coollabsio:coolify:*:*:*:*:*:*:*:*
Vendors & Products Coollabsio
Coollabsio coolify
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Coollabsio Coolify
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-22T17:52:45.755Z

Reserved: 2026-06-21T06:29:26.944Z

Link: CVE-2026-12815

cve-icon Vulnrichment

Updated: 2026-06-22T17:51:37.545Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')