CVE-2026-12815 coollabsio CVE debrief

Who should care

Defenders of coollabsio coolify 4.0.0 installations should prioritize patching or mitigating this vulnerability to prevent potential remote OS command injection attacks. Security teams responsible for containerized environments or continuous integration/continuous deployment (CI/CD) pipelines using coolify should assess their exposure and take appropriate actions.

Technical summary

The vulnerability exists in the Image Name Handler component of coollabsio coolify 4.0.0. An unknown function in this component is susceptible to OS command injection, allowing remote attackers to execute arbitrary commands. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X, indicating a low severity score of 2.1. The weakness is classified under CWE-77 and CWE-78.

Defensive priority

Low severity, but remote exploitability suggests prioritizing patching or mitigation to limit exposure

Recommended defensive actions

• Inventory coolify 4.0.0 installations and assess exposure
• Review and apply vendor-supported remediation or patches
• Implement compensating controls such as input validation and command sanitization
• Monitor for suspicious activity related to image name handling
• Track exceptions or anomalies in coolify logs

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and NVD details. The affected product is coollabsio coolify version 4.0.0. The scope of the vulnerability is limited to the Image Name Handler component. Defenders should verify the presence of this vulnerability in their environments and check for official advisories or patches from coollabsio.

Official resources