CVE-2026-38992

CRITICAL9.8EPSS 0.11%

Cockpit is vulnerable to arbitrary code execution

發布日:2026/4/29修改日:2026/5/6

描述

Cockpit versions 2.13.5 and earlier are vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.

受影響套件(1)

Packagist/cockpit-hq/cockpitfrom 0, < 2.14.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-38992
PATCHhttps://github.com/Cockpit-HQ/Cockpit
WEBhttps://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns
WEBhttps://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0