PatchSiren cyber security CVE debrief
CVE-2026-42148 coollabsio CVE debrief
CVE-2026-42148 is a vulnerability in Coolify, an open-source tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.474, the buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping. This allows an attacker who can set the helper version and trigger the helper image build in a development environment to execute arbitrary commands on the server. The issue is fixed in version 4.0.0-beta.474. Users of Coolify should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- coollabsio
- Product
- coolify
- CVSS
- LOW 3.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of Coolify prior to version 4.0.0-beta.474 should be aware of this vulnerability and take steps to mitigate it. This includes updating to the latest version and ensuring that the development environment is properly secured. Operators, platform administrators, vulnerability management teams, and security teams may be impacted by this vulnerability.
Technical summary
The buildHelperImage method in app/Livewire/Settings/Index.php of Coolify prior to 4.0.0-beta.474 is vulnerable to command injection. An attacker who can set the dev_helper_version field and trigger the helper image build can execute arbitrary commands on the server. This is due to the lack of shell escaping in the Docker build command construction. The vulnerability affects Coolify, an open-source tool for managing servers, applications, and databases.
Defensive priority
Medium
Recommended defensive actions
- Update Coolify to version 4.0.0-beta.474 or later
- Ensure that the development environment is properly secured
- Monitor for suspicious activity in the development environment
- Implement additional security measures to prevent command injection attacks
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-06T22:16:49.257Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The buildHelperImage method in app/Livewire/Settings/Index.php constructs a Docker build command using the dev_helper_version field without shell escaping, allowing an attacker to execute arbitrary commands on the server. This issue is fixed in version 4.0.0-beta.474.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T22:16:49.257Z and has not been modified since then.