CVE-2026-38993

MEDIUM6.5EPSS 0.12%

Cockpit is vulnerable to directory traversal

Published: 4/29/2026Modified: 5/6/2026

Description

Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.

Affected packages (1)

Packagist/cockpit-hq/cockpitfrom 0, < 2.14.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-38993
PATCHhttps://github.com/Cockpit-HQ/Cockpit
WEBhttps://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns
WEBhttps://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0