563 matches found
CVE-2026-59726 Ruflo: Unauthenticated RCE in MCP bridge default docker-compose deployment
Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authentication, allowing an unauthenticated network attacker to invoke tools/call to terminalexecute, obtain...
CVE-2026-59726
Affected software: Ruflo, an agent meta-harness for Claude Code and Codex. Vulnerability: unauthenticated access to the MCP bridge endpoints POST /mcp and POST /mcp/:group in the default docker-compose deployment prior to version 3.16.3. Root cause / impact: unauthenticated network attacker could...
Security update for docker-compose (important)
openSUSE security update: security update for docker-compose ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21247-1 Rating: important References: bsc1239340 bsc1239766 bsc1265782 bsc1266625 Cross-References: CVE-2025-0495 CVE-2025-22869...
CVE-2026-42201
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields redispassword, keydbpassword, dragonflypassword, clickhouseadminuser, clickhouseadminpassword, postgresuser, mysqluser are validated only as...
CVE-2026-42201
Coolify (open-source self-hosted tool for managing servers, apps, and databases) is affected up to version 4.0.0-beta.473 by an OS command injection when Docker Compose service commands are constructed from database credential fields (redis_password, keydb_password, dragonfly_password, clickhouse...
CVE-2026-42201 Coolify: OS Command Injection via Database Credential Fields in Docker Compose Service Commands
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields redispassword, keydbpassword, dragonflypassword, clickhouseadminuser, clickhouseadminpassword, postgresuser, mysqluser are validated only as...
EUVD-2026-41999
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields redispassword, keydbpassword, dragonflypassword, clickhouseadminuser, clickhouseadminpassword, postgresuser, mysqluser are validated only as...
CVE-2026-42201
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields redispassword, keydbpassword, dragonflypassword, clickhouseadminuser, clickhouseadminpassword, postgresuser, mysqluser are validated only as...
CVE-2026-34158
Coolify (open-source self-hosted) prior to version 4.0.0-beta.469 is affected by a command-injection in the executeInDocker() helper. The function wraps user-controlled commands in single quotes, but fails to escape embedded single quotes, enabling an attacker who can edit application settings to...
CVE-2026-34158 Coolify: Command injection via single-quote breakout in Docker Compose custom commands
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, the executeInDocker helper wraps user-controlled commands in single quotes without escaping embedded single quotes. Attackers who can edit application settings can inject a...
CVE-2026-42204
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELLSAFECOMMANDPATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an...
CVE-2026-42204
Coolify CVE-2026-42204 affects the 4.0.0-beta.471 to 4.0.0-beta.473 releases, where a regression in the SHELL_SAFE_COMMAND_PATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields. This enabled an authenticated team member to inject shell commands t...
CVE-2026-42204
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.471 through 4.0.0-beta.473, a regression in SHELLSAFECOMMANDPATTERN allowed ampersands in custom Docker Compose build, start, and pre/post-deployment command fields, allowing an...
GHSA-Q4H4-GMJ2-QVW2 vulnerabilities
Vulnerabilities for packages: argo-cd-fips, crossplane-provider-aws-osis-fips, crossplane-provider-aws-ram, ksops, helm, mattermost, crossplane-provider-aws-bedrockagent-fips, docker-cli-buildx-fips, osv-scanner, seaweedfs-rocksdb-fips, upwind-agent, step-issuer,...
GHSA-RM3J-F69W-WQMQ vulnerabilities
Vulnerabilities for packages: argo-cd-fips, crossplane-provider-aws-osis-fips, crossplane-provider-aws-ram, ksops, helm, mattermost, crossplane-provider-aws-bedrockagent-fips, docker-cli-buildx-fips, osv-scanner, seaweedfs-rocksdb-fips, upwind-agent, step-issuer,...
Astra Linux – Vulnerability in docker.io-app
Docker Compose relies on the path information embedded in remote OCI Compose artifacts. When a layer includes the annotations com.dockercompose.extends or com.dockercompose.envfile, Compose incorporates the value provided by the attacker from com.dockercompose.file/com.dockercompose.envfile into...
CVE-2026-53489 vulnerabilities
Vulnerabilities for packages: trivy-operator, helm, newrelic-infrastructure-agent, k9s, docker-cli-buildx-fips, cg, livekit-cli, datadog-agent-fips, spegel, zot, scorecard, kube-mgmt, tigera-operator, manifest-tool, neuvector-scanner, spegel-fips, gitlab-rails-ce-fips, beats-fips,...
GHSA-CVXM-645Q-P574 vulnerabilities
Vulnerabilities for packages: trivy-operator, helm, newrelic-infrastructure-agent, k9s, docker-cli-buildx-fips, cg, livekit-cli, datadog-agent-fips, spegel, zot, scorecard, kube-mgmt, tigera-operator, manifest-tool, neuvector-scanner, spegel-fips, gitlab-rails-ce-fips, beats-fips,...
CVE-2026-53492 vulnerabilities
Vulnerabilities for packages: trivy-operator, helm, newrelic-infrastructure-agent, k9s, docker-cli-buildx-fips, cg, livekit-cli, datadog-agent-fips, spegel, zot, scorecard, kube-mgmt, tigera-operator, manifest-tool, neuvector-scanner, spegel-fips, gitlab-rails-ce-fips, beats-fips,...
GHSA-33VJ-92QQ-66HC vulnerabilities
Vulnerabilities for packages: trivy-operator, helm, newrelic-infrastructure-agent, k9s, docker-cli-buildx-fips, cg, livekit-cli, datadog-agent-fips, spegel, zot, scorecard, kube-mgmt, tigera-operator, manifest-tool, neuvector-scanner, spegel-fips, gitlab-rails-ce-fips, beats-fips,...