Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.
AnalysisAI
Cockpit CMS versions 2.13.5 and earlier allow authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets via directory traversal in the Buckets component. The vulnerability requires valid user authentication and does not impact confidentiality, but enables integrity compromise through malicious file placement or asset replacement. A proof-of-concept exists, though the SSVC framework rates automatable exploitation as unlikely, suggesting manual attack steps are required.
Technical ContextAI
The vulnerability is a classic directory traversal (path traversal) flaw classified under CWE-22, occurring in the Buckets component responsible for file upload management. Attackers can leverage path traversal sequences (such as '../' or similar Unicode/encoding variants) to escape the intended uploads directory sandbox and write files to arbitrary locations, including asset directories that serve public content. This is a file-handling vulnerability common in content management systems where input validation on file paths is insufficient before filesystem operations.
RemediationAI
Vendor-released patch: Cockpit CMS 2.14.0 or later. Upgrade immediately to v2.14.0 or newer, which includes explicit fixes for the Bucket path traversal vulnerability as documented in the GitHub release notes. If immediate upgrade is not feasible, restrict Bucket upload permissions to trusted users only and implement filesystem-level access controls to prevent writes outside the designated uploads directory. Additionally, apply web server configuration to block requests containing path traversal sequences (e.g., '../') in upload endpoints, though this is a defense-in-depth measure and not a substitute for patching. Note that v2.14.0 also hardens multiple other security aspects including session cookie handling and MongoLite query restrictions, making the upgrade beneficial beyond this single vulnerability.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26243