Cybersecurity researchers have identified multiple critical vulnerabilities in Coolify, an open-source self-hosting platform. The flaws range from authentication bypass to remote code execution, with several vulnerabilities carrying a CVSS score of 10.0, indicating their extreme severity. For instance, CVE-2025-66209 allows authenticated users with backup permissions to execute arbitrary commands on the host server, potentially leading to a full server compromise. Other notable vulnerabilities include CVE-2025-64420, which permits low-privileged users to access the root user's private key, enabling unauthorized SSH access. The affected versions span from beta releases prior to 4.0.0-beta.451, with fixes implemented in subsequent updates. Some vulnerabilities have unclear fix statuses, particularly CVE-2025-64420 and CVE-2025-64424. As of January 8, 2026, data from Censys indicates around 52,890 exposed Coolify hosts, primarily in Germany, the U.S., and France. While there's no evidence of these vulnerabilities being exploited in the wild, the severity of the issues necessitates immediate action from users to apply the necessary updates. Aikido, a security group that discovered some of these flaws, confirmed they have been addressed through responsible disclosure.