Home

Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the file upload endpoint (app/Http/Controllers/UploadController.php) for database backup restore uploads did not enforce file type or size validation, allowing an authenticated user to upload unexpected or oversized files that could affect service availability. This issue is fixed in version 4.0.0-beta.474.

PUBLISHED Reserved 2026-04-24 | Published 2026-07-07 | Updated 2026-07-09 | Assigner GitHub_M




LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-434: Unrestricted Upload of File with Dangerous Type

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 4.0.0-beta.474
affected

References

github.com/...oolify/security/advisories/GHSA-66gv-g2w9-6wxp

github.com/coollabsio/coolify/pull/9667

github.com/...ommit/e6a6446daeace2999fb77888a611a3271812911f

github.com/coollabsio/coolify/releases/tag/v4.0.0-beta.474

cve.org (CVE-2026-42145)

nvd.nist.gov (CVE-2026-42145)

Download JSON