CVE-2026-38992

CRITICAL9.8EPSS 0.11%

Cockpit is vulnerable to arbitrary code execution

Published: 4/29/2026Modified: 5/6/2026

Description

Cockpit versions 2.13.5 and earlier are vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.

Affected packages (1)

Packagist/cockpit-hq/cockpitfrom 0, < 2.14.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-38992
PATCHhttps://github.com/Cockpit-HQ/Cockpit
WEBhttps://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns
WEBhttps://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0