Skip to main content

Openitcockpit

17 CVEs product

Monthly

CVE-2026-24893 HIGH PATCH This Week

Remote code execution in openITCOCKPIT Community Edition (versions prior to 5.5.2) allows authenticated users with host management permissions to execute arbitrary OS commands on the monitoring backend via command injection in host address fields. The vulnerability stems from unsanitized user input being expanded into Nagios/Icinga monitoring command templates and executed via shell, enabling full system compromise. CVSS score of 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed CVE.

Command Injection RCE Openitcockpit
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-24892 HIGH POC PATCH This Week

Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject malicious serialized objects through changelog entries, with public exploit code available. While no current attack path has been identified, an unrestricted unserialize() call creates a latent remote code execution vulnerability that could be exploited if future code changes introduce exploitable object types into the deserialization path. Authenticated access is required, but the HIGH severity rating reflects the potential for complete system compromise if this latent flaw is activated.

PHP Prometheus RCE Deserialization Openitcockpit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-24891 HIGH POC This Week

Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, which calls unserialize() on untrusted job payloads without validation or class restrictions. Attackers can exploit this by submitting crafted serialized objects to trigger PHP Object Injection when Gearman is exposed to untrusted networks. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Prometheus Deserialization Openitcockpit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2023-3520 MEDIUM POC PATCH This Month

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Openitcockpit
NVD GitHub
CVSS 3.1
4.6
EPSS
0.3%
CVE-2023-36663 HIGH PATCH This Week

it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the sort parameter of the API interface. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi Openitcockpit
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-3218 MEDIUM POC PATCH This Month

Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Openitcockpit
NVD GitHub
CVSS 3.1
4.4
EPSS
0.5%
CVE-2020-10788 CRITICAL PATCH Act Now

openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API Key for WebSocket connections. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Authentication Bypass Openitcockpit
NVD GitHub
CVSS 3.1
9.1
EPSS
1.6%
CVE-2020-10791 MEDIUM PATCH This Month

app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Grafana SSRF PHP Openitcockpit
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-10790 MEDIUM PATCH This Month

openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which leads to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Openitcockpit
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2020-10789 CRITICAL PATCH Act Now

openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection PHP Openitcockpit
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2020-10792 HIGH PATCH This Week

openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Openitcockpit
NVD GitHub
CVSS 3.1
7.5
EPSS
1.9%
CVE-2019-10227 MEDIUM POC This Month

openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Openitcockpit
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
1.2%
CVE-2019-15494 CRITICAL Act Now

openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Openitcockpit
NVD GitHub
CVSS 3.0
9.8
EPSS
1.5%
CVE-2019-15493 HIGH This Week

openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openitcockpit
NVD GitHub
CVSS 3.0
7.5
EPSS
1.2%
CVE-2019-15492 MEDIUM PATCH This Month

openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Openitcockpit
NVD GitHub
CVSS 3.0
6.1
EPSS
0.8%
CVE-2019-15491 HIGH This Week

openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Openitcockpit
NVD GitHub
CVSS 3.0
8.8
EPSS
0.6%
CVE-2019-15490 CRITICAL Act Now

openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Openitcockpit
NVD GitHub
CVSS 3.0
9.8
EPSS
1.7%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in openITCOCKPIT Community Edition (versions prior to 5.5.2) allows authenticated users with host management permissions to execute arbitrary OS commands on the monitoring backend via command injection in host address fields. The vulnerability stems from unsanitized user input being expanded into Nagios/Icinga monitoring command templates and executed via shell, enabling full system compromise. CVSS score of 8.8 reflects network-accessible attack with low complexity requiring only low-privilege authentication. No public exploit identified at time of analysis, with EPSS data unavailable for this recently disclosed CVE.

Command Injection RCE Openitcockpit
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject malicious serialized objects through changelog entries, with public exploit code available. While no current attack path has been identified, an unrestricted unserialize() call creates a latent remote code execution vulnerability that could be exploited if future code changes introduce exploitable object types into the deserialization path. Authenticated access is required, but the HIGH severity rating reflects the potential for complete system compromise if this latent flaw is activated.

PHP Prometheus RCE +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, which calls unserialize() on untrusted job payloads without validation or class restrictions. Attackers can exploit this by submitting crafted serialized objects to trigger PHP Object Injection when Gearman is exposed to untrusted networks. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Prometheus Deserialization +1
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC PATCH This Month

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Openitcockpit
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows SQL Injection (by authenticated users) via the sort parameter of the API interface. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi Openitcockpit
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM POC PATCH This Month

Race Condition within a Thread in GitHub repository it-novum/openitcockpit prior to 4.6.5. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Openitcockpit
NVD GitHub
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

openITCOCKPIT before 3.7.3 uses the 1fea123e07f730f76e661bced33a94152378611e API key rather than generating a random API Key for WebSocket connections. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Authentication Bypass Openitcockpit
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Grafana SSRF PHP +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

openITCOCKPIT before 3.7.3 has unnecessary files (such as Lodash files) under the web root, which leads to XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Openitcockpit
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

openITCOCKPIT before 3.7.3 has a web-based terminal that allows attackers to execute arbitrary OS commands via shell metacharacters that are mishandled on an su command line in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection PHP Openitcockpit
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

openITCOCKPIT through 3.7.2 allows remote attackers to configure the self::DEVELOPMENT or self::STAGING option by placing a hostname containing "dev" or "staging" in the HTTP Host header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Openitcockpit
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-found component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Openitcockpit
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL Act Now

openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Openitcockpit
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Openitcockpit
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Openitcockpit
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Openitcockpit
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Openitcockpit
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy