CVE-2026-12815 | coollabsio coolify 4.0.0 Image Name os command injection

A vulnerability described as critical has been identified in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection.

This vulnerability is listed as CVE-2026-12815. The attack may be performed from remote. In addition, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way. The changelog for 4.1.2 mentions “[i]mproved image, branch, proxy, and deployment input validation”.

CVE-2026-12815 | coollabsio coolify 4.0.0 Image Name os command injection

Post correlati

CVE-2023-3287 | easyappointments up to 1.4.x /admins authorization

CVE-2025-65796 | usememos 0.25.2 Reaction access control

CVE-2026-3053 | DataLinkDC dinky up to 1.2.5 OpenAPI Endpoint AppConfig.java addInterceptors missing authentication

CVE-2026-7718 | Totolink WA300 5.2cu.7112_B20190227 POST Request /cgi-bin/cstecgi.cgi setWebWlanIdx webWlanIdx command injection