Skip to main content

Cockpit CMS CVE-2026-13533

| EUVDEUVD-2026-40030 MEDIUM
Files or Directories Accessible to External Parties (CWE-552)
2026-06-29 VulDB GHSA-q4hh-wg87-823q
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible with no auth or user interaction required; impact is limited to partial confidentiality loss (config file exposure), no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 29, 2026 - 06:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jun 29, 2026 - 05:47 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler. Such manipulation leads to files or directories accessible. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Configuration settings should be changed. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unauthenticated remote file and directory exposure in agentejo Cockpit CMS 0.12.2 and earlier allows attackers to access files outside the web root via path traversal through the htaccess Handler's YAML configuration loader. The root cause is CWE-552 (Files or Directories Accessible to External Parties), triggered by unsafe processing of /config/config.yaml via the Spyc::YAMLLoad function, which can expose sensitive configuration data including credentials or internal path structures. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Cockpit CMS instance via fingerprinting
Delivery
Send crafted HTTP request targeting /config/config.yaml path
Exploit
Bypass htaccess Handler access control via path traversal
Execution
Retrieve YAML configuration contents
Impact
Extract credentials or sensitive configuration values

Vulnerability AssessmentAI

Exploitation Target must be running agentejo Cockpit CMS version 0.12.2 or earlier with the htaccess Handler component active - this is the default configuration for Apache-hosted deployments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N) reflects a remotely exploitable, low-complexity flaw requiring no authentication, but with only low confidentiality impact - no integrity or availability consequences are assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a crafted HTTP GET request to a publicly accessible Cockpit CMS instance, targeting the htaccess Handler's YAML config loading path with traversal sequences (e.g., ../../config/config.yaml or equivalent). Because the .htaccess-based restriction is not reliably enforced by the handler, the server returns the raw contents of the YAML configuration file, potentially exposing database credentials, API keys, or internal directory structures. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor (agentejo) did not respond to disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy