Skip to main content

Cockpit CMS CVE-2026-38991

| EUVDEUVD-2026-26242 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-04-29 mitre GHSA-j2rx-4jg9-79mw
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 29, 2026 - 21:37 vuln.today
cvss_changed
Source Code Evidence Fetched
Apr 29, 2026 - 21:22 vuln.today
Analysis Generated
Apr 29, 2026 - 21:22 vuln.today
CVSS changed
Apr 29, 2026 - 21:22 NVD
8.8 (None) 8.8 (HIGH)
EUVD ID Assigned
Apr 29, 2026 - 15:30 euvd
EUVD-2026-26242
Analysis Generated
Apr 29, 2026 - 15:30 vuln.today
CVE Published
Apr 29, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server.

AnalysisAI

Remote code execution in Cockpit CMS 2.13.5 and earlier allows authenticated users with low privileges to execute arbitrary PHP code on the server. Attackers exploit a filter bypass in the Bucket component's _isFileTypeAllowed function by crafting filenames that evade extension validation, then renaming files to .php for execution. Public proof-of-concept exists (SSVC: poc). EPSS data unavailable, but CVSS 8.8 with network vector and low attack complexity indicates high exploitability once authenticated.

Technical ContextAI

Cockpit CMS is a PHP-based headless content management system. The vulnerability resides in the Bucket component's _isFileTypeAllowed function, which performs inadequate validation of file extensions during upload or rename operations. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The filter can be bypassed through specially crafted filenames-likely using null bytes, double extensions, case manipulation, or Unicode encoding tricks common to PHP file upload vulnerabilities. Once an attacker renames an uploaded file to have a .php extension, the web server's PHP interpreter executes the file content as code. Version 2.14.0 release notes explicitly mention 'Fix Bucket path traversal vulnerability' and 'Enhance SVG file handling during uploads', indicating vendor awareness of file handling issues in the Bucket component.

RemediationAI

Upgrade to Cockpit CMS version 2.14.0 or later immediately, available at https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0. The release notes confirm fixes for Bucket path traversal and enhanced SVG file handling addressing the upload validation issues. If immediate patching is not feasible, implement these compensating controls with noted limitations: (1) Restrict Bucket component access to only highly trusted administrators through ACL configuration-reduces attack surface but limits CMS functionality for content editors; (2) Configure PHP disable_functions directive to block system(), exec(), passthru(), shell_exec(), and other code execution functions-may break legitimate CMS features requiring system calls; (3) Deploy Web Application Firewall rules blocking .php in uploaded filenames and monitoring for file rename operations-sophisticated bypass techniques may evade signature-based detection; (4) Set web server to deny execution of PHP files in upload directories via .htaccess (Apache) or location blocks (Nginx)-effective but verify configuration inheritance in nested directories. All compensating controls provide partial defense-in-depth but cannot fully eliminate risk given the fundamental validation flaw. Vendor patch remains the definitive remediation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-38991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy