Skip to main content

Cockpit CMS CVE-2026-38993

| EUVDEUVD-2026-26243 MEDIUM
Path Traversal (CWE-22)
2026-04-29 mitre
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Source Code Evidence Fetched
Apr 29, 2026 - 21:23 vuln.today
Analysis Generated
Apr 29, 2026 - 21:23 vuln.today
CVSS changed
Apr 29, 2026 - 21:22 NVD
6.5 (None) 6.5 (MEDIUM)
EUVD ID Assigned
Apr 29, 2026 - 15:30 euvd
EUVD-2026-26243
Analysis Generated
Apr 29, 2026 - 15:30 vuln.today
CVE Published
Apr 29, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.

AnalysisAI

Cockpit CMS versions 2.13.5 and earlier allow authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets via directory traversal in the Buckets component. The vulnerability requires valid user authentication and does not impact confidentiality, but enables integrity compromise through malicious file placement or asset replacement. A proof-of-concept exists, though the SSVC framework rates automatable exploitation as unlikely, suggesting manual attack steps are required.

Technical ContextAI

The vulnerability is a classic directory traversal (path traversal) flaw classified under CWE-22, occurring in the Buckets component responsible for file upload management. Attackers can leverage path traversal sequences (such as '../' or similar Unicode/encoding variants) to escape the intended uploads directory sandbox and write files to arbitrary locations, including asset directories that serve public content. This is a file-handling vulnerability common in content management systems where input validation on file paths is insufficient before filesystem operations.

RemediationAI

Vendor-released patch: Cockpit CMS 2.14.0 or later. Upgrade immediately to v2.14.0 or newer, which includes explicit fixes for the Bucket path traversal vulnerability as documented in the GitHub release notes. If immediate upgrade is not feasible, restrict Bucket upload permissions to trusted users only and implement filesystem-level access controls to prevent writes outside the designated uploads directory. Additionally, apply web server configuration to block requests containing path traversal sequences (e.g., '../') in upload endpoints, though this is a defense-in-depth measure and not a substitute for patching. Note that v2.14.0 also hardens multiple other security aspects including session cookie handling and MongoLite query restrictions, making the upgrade beneficial beyond this single vulnerability.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Vendor StatusVendor

Share

CVE-2026-38993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy