CVE-2025-59158
Unknown Unknown - Not Provided
Stored XSS in Coolify Project Creation Allows Admin Browser Exploit

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges (e.g., member role) can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later attempts to delete the project or its associated resource, the payload automatically executes in the admin’s browser context. Version 4.0.0-beta.420.7 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59158
EUVD
EUVD-2025-206246
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coollabsio coolify to 4.0.0-beta.420.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59158 is a critical stored Cross-Site Scripting (XSS) vulnerability in Coolify versions up to and including v4.0.0-beta.420.6. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator later tries to delete this project or its resources, the malicious script executes in the administrator's browser, allowing the attacker to escalate privileges and potentially take full administrative control of the Coolify instance. [1]

Impact Analysis

This vulnerability can lead to privilege escalation from a low-privileged user to full administrative control over the Coolify instance. Exploitation can result in theft of API tokens and session cookies, unauthorized access to WebSocket-based terminal sessions on managed servers, abuse of project management features with admin privileges, and potential persistence and further privilege escalation when combined with other vulnerabilities. [1]

Detection Guidance

Detection involves checking if your Coolify instance is running a vulnerable version (up to and including v4.0.0-beta.420.6) and inspecting project names for maliciously crafted JavaScript payloads. A proof of concept payload example is `<details x=xxxxxxxxxxxxxxxxxx:2 open ontoggle="prompt('PoC');">`. You can log in as a low-privileged user and list project names to identify suspicious entries. There are no specific commands provided, but manual inspection of project metadata and monitoring administrator actions that trigger project deletions can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Coolify to version v4.0.0-beta.420.7 or later, which contains the patch for this vulnerability. Additionally, sanitize and HTML-encode all user inputs, especially project names, restrict special characters in project metadata, and apply Content Security Policy (CSP) headers to reduce the impact of any potential XSS attacks. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart