CVE-2025-22611

CRITICAL Year: 2025
CVSS v3 Score
9.9
Critical
Weakness Type
CWE-862
View all →

Vulnerability Description

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able to kick every other member out of the team, including admins and owners. This allows the attacker to access the `Terminal` feature and execute remote commands. Version 4.0.0-beta.361 fixes the issue.

Related Vulnerabilities

CVE-2013-3960

CRITICAL
CVSS:9.9(Critical)

Easytime Studio Easy File Manager 1.1 has a HTTP request security bypass

CWE-8622013

CVE-2019-15954

CRITICAL
CVSS:9.9(Critical)

An issue was discovered in Total.js CMS 12.0.0. An authenticated user with the widgets privilege can gain achieve Remote Command Execution (RCE) on the remote server by creating a malicious widget wit...

CWE-8622019

CVE-2020-36837

CRITICAL
CVSS:9.9(Critical)

The ThemeGrill Demo Importer plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the reset_wizard_actions function in versions 1.3.4 through 1.6.1. This ma...

CWE-8622020

CVE-2023-49742

CRITICAL
CVSS:9.9(Critical)

Missing Authorization vulnerability in Support Genix.This issue affects Support Genix: from n/a through 1.2.3.

CWE-8622023

CVE-2024-57726

CRITICAL
CVSS:9.9(Critical)

SimpleHelp remote support software v5.5.7 and before has a vulnerability that allows low-privileges technicians to create API keys with excessive permissions. These API keys can be used to escalate pr...

CWE-8622024

CVE-2011-4183

CRITICAL
CVSS:9.8(Critical)

A vulnerability in open build service allows remote attackers to upload arbitrary RPM files. Affected releases are SUSE open build service prior to 2.1.16.

CWE-8622011