Skip to main content

Cockpit Cms

1 CVEs product

Monthly

CVE-2026-13533 MEDIUM POC This Month

Unauthenticated remote file and directory exposure in agentejo Cockpit CMS 0.12.2 and earlier allows attackers to access files outside the web root via path traversal through the htaccess Handler's YAML configuration loader. The root cause is CWE-552 (Files or Directories Accessible to External Parties), triggered by unsafe processing of /config/config.yaml via the Spyc::YAMLLoad function, which can expose sensitive configuration data including credentials or internal path structures. A public exploit proof-of-concept exists on GitHub; no vendor patch has been issued, as the vendor did not respond to coordinated disclosure.

Information Disclosure Path Traversal Cockpit Cms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote file and directory exposure in agentejo Cockpit CMS 0.12.2 and earlier allows attackers to access files outside the web root via path traversal through the htaccess Handler's YAML configuration loader. The root cause is CWE-552 (Files or Directories Accessible to External Parties), triggered by unsafe processing of /config/config.yaml via the Spyc::YAMLLoad function, which can expose sensitive configuration data including credentials or internal path structures. A public exploit proof-of-concept exists on GitHub; no vendor patch has been issued, as the vendor did not respond to coordinated disclosure.

Information Disclosure Path Traversal Cockpit Cms
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy