Nearly a dozen Coolify flaws put servers at risk

Coolify, an open-source self-hosting platform, has disclosed 11 critical security flaws that could allow attackers to bypass authentication, run remote code execution, and fully take over affected servers, The Hacker News reports.

The issues include several command injection and information disclosure bugs, with CVSS scores from 9.4 to 10.0. Some of the flaws let authenticated users, even with low privileges, execute arbitrary commands as root, escape containers, and compromise entire servers. Some of the vulnerabilities include CVE-2025-64420, which exposes the root user's private SSH key and allows unauthorized server access, CVE-2025-59157, which lets regular users execute arbitrary shell commands during deployment, and CVE-2025-59158, which enables stored cross-site scripting attacks triggered when administrators manage affected projects.

The flaws impact multiple Coolify 4.0.0 beta versions, with fixes released for most in newer updates, although the patch status for some flaws remains unclear. According to Censys, around 52,890 Coolify instances were exposed online as of Jan. 8, 2026, mainly in Germany, the U.S., France, Brazil, and Finland.