What is the CVSS score of CVE-2026-38991?

CVE-2026-38991 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Cockpit CMS are affected by CVE-2026-38991?

Cockpit CMS versions 2.13.5 and earlier contain a critical remote code execution vulnerability that allows authenticated low-privilege users to upload and execute arbitrary PHP code by bypassing file…. A patch is available.

Cockpit CMS CVE-2026-38991

EUVD-2026-26242 HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-04-29 mitre

GHSA-j2rx-4jg9-79mw

PHP RCE File Upload

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 29, 2026 - 21:37 vuln.today

cvss_changed

Source Code Evidence Fetched

Apr 29, 2026 - 21:22 vuln.today

Analysis Generated

Apr 29, 2026 - 21:22 vuln.today

CVSS changed

Apr 29, 2026 - 21:22 NVD

8.8 (None) 8.8 (HIGH)

EUVD ID Assigned

Apr 29, 2026 - 15:30 euvd

EUVD-2026-26242

Analysis Generated

Apr 29, 2026 - 15:30 vuln.today

CVE Published

Apr 29, 2026 - 00:00 nvd

HIGH 8.8

DescriptionNVD

Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server.

AnalysisAI

Remote code execution in Cockpit CMS 2.13.5 and earlier allows authenticated users with low privileges to execute arbitrary PHP code on the server. Attackers exploit a filter bypass in the Bucket component's _isFileTypeAllowed function by crafting filenames that evade extension validation, then renaming files to .php for execution. …

RemediationAI

Within 24 hours: Identify all Cockpit CMS deployments and document versions currently in use; restrict file upload functionality via web server configuration (disable PHP execution in upload directories via .htaccess or nginx config). Within 7 days: Implement strict input validation at the application level, enforce PHP execution restrictions in upload directories, and monitor upload/file activity for suspicious patterns. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-38991 vulnerability details – vuln.today

Back

Cockpit CMS CVE-2026-38991

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code