Vulnerabilities
Vulnerable Software
Security Vulnerabilities
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the `dotfiles` registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted `dotfiles_uri` value (for example, one containing shell command substitution such as `$(...)`) could achieve command execution in their own workspace. The Create Workspace page's `mode=auto` deep links amplified this into a one-click attack: an attacker could craft a URL that prefilled `param.dotfiles_uri` and silently provisioned a workspace with the attacker-controlled value, with no explicit user confirmation. In versions 2.29.7 and 2.30.2, input validation was added to the dotfiles module to reject URIs and usernames containing special characters, and the unsafe `eval`/`sh -c` usage was removed. This eliminated the command injection at its source.
CVSS Score
8.1
EPSS Score
0.026
Published
2026-07-07
Improper validation leads to a generic XSS vector in the language override feature.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
An improper access check allows unauthorized users to access workflow stage and transition information.
CVSS Score
6.4
EPSS Score
0.002
Published
2026-07-07
An improper access check allows users to display a list of modules in the frontend.
CVSS Score
6.4
EPSS Score
0.002
Published
2026-07-07
An improper access check allows unauthorized users to access com_privacy datasets.
CVSS Score
6.4
EPSS Score
0.002
Published
2026-07-07
An improper access check allows unauthorized users to create custom fields via webservices endpoints.
CVSS Score
6.4
EPSS Score
0.003
Published
2026-07-07
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.
CVSS Score
5.4
EPSS Score
0.003
Published
2026-07-07
Lack of validation leads to an XSS vulnerability in the MFA management views.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07


Contact Us

Shodan ® - All rights reserved