Back to overview

CVE-2026-42145

LOW
3.1
CVSS 3.1
Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for database backup restore uploads did not enforce file type or size validation, allowing an authenticated user to upload unexpected or oversized files that could affect service availability. This issue is fixed in version 4.0.0-beta.474.

Metadata

CVE ID
CVE-2026-42145
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-04-24 17:15 UTC
Published
2026-07-07 03:03 UTC
Last updated
2026-07-07 03:03 UTC
Primary CWE
CWE-434
CWE-434: Unrestricted Upload of File with Dangerous Type
Vendor / Product
coollabsio / coolify
Sources
cve.org  ·  NVD

Severity & Metrics

3.1 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Affected products (1)
VendorProductPlatformVersions
coollabsio coolify < 4.0.0-beta.474
Weakness (CWE)
CWESourceDescription
CWE-434 cna CWE-434: Unrestricted Upload of File with Dangerous Type
CWE-770 cna CWE-770: Allocation of Resources Without Limits or Throttling
CVSS scores (1)
ScoreSeverityVersionSourceVector
3.1 LOW 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
References (4)
Back to overview