PHP
CVE-2026-31891
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.
Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected.
Who is impacted:
- Any deployment where the
/api/content/aggregate/{model}endpoint is publicly
accessible or reachable by untrusted users.
- Attackers in possession of a valid read-only API key (the lowest privilege level)
can exploit this vulnerability - no admin access is required.
What an attacker can do:
- Inject arbitrary SQL via unsanitized field names in aggregation queries.
- Bypass the
_state=1published-content filter to access unpublished or restricted content. - Extract unauthorized data from the underlying SQLite content database.
Confidentiality impact is High. Integrity and availability are not directly affected by this vulnerability.
Patches
This vulnerability has been patched in version 2.13.5.
All users running Cockpit CMS version 2.13.4 or earlier are strongly advised to upgrade to 2.13.5 or later immediately.
- https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5
The fix applies the same field-name sanitization introduced in v2.13.3 for toJsonPath() to the toJsonExtractRaw() method in lib/MongoLite/Aggregation/Optimizer.php, closing the injection vector in the Aggregation Optimizer.
AnalysisAI
SQL injection in Cockpit CMS version 2.13.4 and earlier allows attackers with a valid read-only API key to inject arbitrary SQL through the /api/content/aggregate/{model} endpoint and extract unauthorized data from the SQLite database, including unpublished content. The vulnerability requires network access and low-privilege API credentials, enabling data exfiltration without administrative privileges. No patch is currently available.
Technical ContextAI
The vulnerability affects Cockpit CMS (CPE: pkg:composer/cockpit-hq_cockpit), specifically in the MongoLite Aggregation Optimizer component at the /api/content/aggregate/{model} endpoint. As classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), the flaw stems from inadequate input sanitization in the toJsonExtractRaw() method within lib/MongoLite/Aggregation/Optimizer.php, where field names are not properly sanitized before being incorporated into SQL queries. MongoLite is Cockpit's embedded database abstraction layer that translates MongoDB-style queries to SQLite operations, and the vulnerability allows injection at this translation layer.
RemediationAI
Immediately upgrade Cockpit CMS to version 2.13.5 or later, which applies proper field-name sanitization to the toJsonExtractRaw() method (see release at https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5). For installations that cannot immediately upgrade, consider temporarily restricting access to the /api/content/aggregate/{model} endpoint through web server configuration or firewall rules, limiting API access to trusted IP addresses only. Review and rotate any API keys that may have been exposed, as even read-only keys can be used to exploit this vulnerability.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-7x5c-vfhj-9628