Lucene search
K

34 matches found

CVE
CVE
added 4 days ago14 views

CVE-2026-55500

CVE-2026-55500 (9router) exposes a critical flaw in the /api/settings/database endpoint. The GET export returns the entire database, including plaintext API keys, OAuth tokens, and provider credentials, while POST can wipe-and-replace the database with attacker-controlled data. This bypasses auth...

9.9CVSS6.1AI score0.00685EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 4:17 a.m.10 views

CVE-2026-34057

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component app/Livewire/Project/Database/Import.php allows client-controlled container and server properties to reach shell commands without...

8.8CVSS0.00347EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/07 3:17 a.m.5 views

EUVD-2026-41994

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component app/Livewire/Project/Database/Import.php allows client-controlled container and server properties to reach shell commands without...

8.8CVSS6AI score0.00347EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/07 3:17 a.m.7 views

CVE-2026-34057

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component app/Livewire/Project/Database/Import.php allows client-controlled container and server properties to reach shell commands without...

8.8CVSS6AI score0.00347EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/07/07 3:17 a.m.33 views

CVE-2026-34057 Coolify: Authenticated Remote Code Execution via Command Injection in Database Import Container Name

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component app/Livewire/Project/Database/Import.php allows client-controlled container and server properties to reach shell commands without...

8.8CVSS0.00347EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 3:17 a.m.11 views

CVE-2026-34057

CVE-2026-34057 affects Coolify prior to version 4.0.0-beta.471. The vulnerability resides in the database import Livewire component (app/Livewire/Project/Database/Import.php), where client-controlled container and server properties could reach shell commands without proper locking/validation, ena...

8.8CVSS6AI score0.00347EPSS
Exploits0References3
OSV
OSV
added 2026/07/07 3:17 a.m.4 views

CVE-2026-34057 Coolify: Authenticated Remote Code Execution via Command Injection in Database Import Container Name

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the database import Livewire component app/Livewire/Project/Database/Import.php allows client-controlled container and server properties to reach shell commands without...

8.8CVSS6AI score0.00347EPSS
Exploits0References5
NVD
NVD
added 2026/06/25 4:16 p.m.9 views

CVE-2026-55477

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS0.00342EPSS
Exploits0References1
CVE
CVE
added 2026/06/25 3:0 p.m.21 views

CVE-2026-55477

3X-UI before version 3.3.1 is affected. An authenticated administrator can abuse the database import functionality to write arbitrary files on the host by altering Xray configuration values stored in the database, enabling code execution and persistent access as the Xray process user (including r...

7.2CVSS6.4AI score0.00342EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 3:0 p.m.6 views

CVE-2026-55477

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS6.4AI score0.00342EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/25 3:0 p.m.5 views

EUVD-2026-39432

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS6.4AI score0.00342EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/25 3:0 p.m.32 views

CVE-2026-55477 Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS0.00342EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/06/12 2:32 a.m.13 views

SUSE CVE-2026-11786

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation...

6.5CVSS5.7AI score0.0016EPSS
Exploits0References3
NVD
NVD
added 2026/06/09 2:16 p.m.12 views

CVE-2026-11786

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation...

6.5CVSS0.0016EPSS
Exploits0References2
OSV
OSV
added 2026/06/09 2:16 p.m.12 views

UBUNTU-CVE-2026-11786

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation...

6.5CVSS5.5AI score0.0016EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/09 12:57 p.m.15 views

CVE-2026-11786 389-ds-base: 389-ds-base: heap out-of-bounds read in ldif parser str2entry_state_information_from_type()

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation...

1.9CVSS5.6AI score0.0016EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/06/09 12:57 p.m.9 views

CVE-2026-11786

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation...

6.5CVSS5.6AI score0.0016EPSS
Exploits0
The Hacker News
The Hacker News
added 2026/01/08 9:53 a.m.7 views

Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances

Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify, an open-source, self-hosting platform, that could result in authentication bypass and remote code execution. The list of vulnerabilities is as follows - CVE-2025-66209 CVSS score: 10.0...

9.9CVSS7.9AI score0.0376EPSS
Exploits12
RedhatCVE
RedhatCVE
added 2025/12/24 10:29 p.m.5 views

CVE-2025-66210

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute...

9.4CVSS9AI score0.02701EPSS
Exploits2References1
NVD
NVD
added 2025/12/23 10:15 p.m.7 views

CVE-2025-66210

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.451, an authenticated command injection vulnerability in the Database Import functionality allows users with application/service management permissions to execute...

9.4CVSS0.02701EPSS
Exploits2References4
Rows per page
Query Builder