CVE-2025-59158 is a stored cross-site scripting (XSS) vulnerability identified in Coolify, an open-source and self-hostable platform designed for managing servers, applications, and databases. The flaw exists in versions prior to and including 4.0.0-beta.420.6 due to improper encoding or escaping of output (CWE-116) in the project creation workflow. Specifically, an authenticated user with low privileges, such as a member role, can create a project with a name containing malicious JavaScript code. This payload is stored persistently within the application. When an administrator later attempts to delete the project or its associated resources, the malicious script executes automatically in the administrator’s browser context. This execution can lead to session hijacking, credential theft, or unauthorized actions performed with administrative privileges. The vulnerability does not require the attacker to have admin rights initially, nor does it require additional user interaction beyond the admin performing standard management operations. The vulnerability is remotely exploitable over the network without complex attack vectors, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H). The high CVSS score of 9.4 reflects the critical nature of this vulnerability, emphasizing its potential to compromise confidentiality, integrity, and availability of the affected systems. The issue was addressed and patched in Coolify version 4.0.0-beta.420.7, which properly encodes or escapes output to prevent script injection.

For European organizations using Coolify to manage their infrastructure, this vulnerability presents a significant risk. An attacker with low-level access can escalate their impact by injecting malicious scripts that execute in the context of administrators, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, disruption of critical services, and lateral movement within the network. The stored XSS can facilitate theft of admin credentials or session tokens, enabling persistent unauthorized access. Given that Coolify is used to manage servers, applications, and databases, exploitation could lead to widespread operational disruption and data breaches. The impact is especially critical for organizations in sectors with strict data protection regulations such as GDPR, where unauthorized access or data leakage can lead to severe legal and financial penalties. Additionally, the vulnerability could be leveraged as a foothold for further attacks, including deployment of ransomware or espionage activities. The lack of known exploits in the wild currently reduces immediate threat but does not diminish the urgency for remediation due to the ease of exploitation and high severity.

European organizations should immediately upgrade all Coolify instances to version 4.0.0-beta.420.7 or later to apply the official patch that fixes the improper output encoding. Until the upgrade can be performed, organizations should restrict project creation permissions to trusted users only, minimizing the risk of malicious project names being introduced. Implement strict input validation and output encoding at the application layer to prevent injection of executable scripts. Administrators should be trained to recognize suspicious project names and avoid interacting with untrusted projects. Employ Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. Regularly audit user roles and permissions to ensure least privilege principles are enforced. Monitor logs for unusual administrative actions or project creations. Consider isolating Coolify administrative interfaces behind VPNs or zero-trust network access to limit exposure. Finally, maintain an incident response plan to quickly address any suspected exploitation.