Packagist (Composer) package
cockpit-hq/cockpit
pkg:composer/cockpit-hq/cockpit
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-38993 | Med | 6.5 | < 2.14.0 | 2.14.0 | Apr 29, 2026 | Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions. | |
| CVE-2026-38991 | Hig | 8.8 | < 2.14.0 | 2.14.0 | Apr 29, 2026 | Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabl | |
| CVE-2026-38992 | Cri | 9.8 | < 2.14.0 | 2.14.0 | Apr 29, 2026 | Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator. | |
| CVE-2026-6626 | Med | 6.3 | < 2.14.0 | 2.14.0 | Apr 20, 2026 | A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to l | |
| CVE-2026-31891 | — | < 2.13.5 | 2.13.5 | Mar 18, 2026 | Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/ | ||
| CVE-2025-7053 | — | < 2.11.4 | 2.11.4 | Jul 4, 2025 | A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgradi | ||
| CVE-2025-1025 | Hig | 7.5 | < 2.4.1 | 2.4.1 | Feb 5, 2025 | Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter. | |
| CVE-2024-4825 | — | < 2.7.0 | 2.7.0 | May 13, 2024 | A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure. | ||
| CVE-2024-2001 | — | — | — | Feb 29, 2024 | A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded. | ||
| CVE-2023-41564 | — | <= 2.6.3 | — | Sep 8, 2023 | An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file. | ||
| CVE-2023-4451 | — | <= 2.6.3 | — | Aug 20, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | ||
| CVE-2023-4433 | — | <= 2.6.3 | — | Aug 19, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | ||
| CVE-2023-4432 | — | <= 2.6.3 | — | Aug 19, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | ||
| CVE-2023-4422 | — | < 2.6.3 | 2.6.3 | Aug 18, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | ||
| CVE-2023-4395 | — | <= 2.6.3 | — | Aug 17, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | ||
| CVE-2023-4321 | — | <= 2.6.2 | — | Aug 14, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3. | ||
| CVE-2023-4196 | — | < 2.6.3 | 2.6.3 | Aug 6, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | ||
| CVE-2023-4195 | — | < 2.6.3 | 2.6.3 | Aug 6, 2023 | PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | ||
| CVE-2023-37650 | — | < 2.6.0 | 2.6.0 | Jul 20, 2023 | A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands. | ||
| CVE-2023-37649 | — | < 2.6.0 | 2.6.0 | Jul 20, 2023 | Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data. |
- affected < 2.14.0fixed 2.14.0
Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.
- affected < 2.14.0fixed 2.14.0
Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabl
- affected < 2.14.0fixed 2.14.0
Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.
- affected < 2.14.0fixed 2.14.0
A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to l
- CVE-2026-31891Mar 18, 2026affected < 2.13.5fixed 2.13.5
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/
- CVE-2025-7053Jul 4, 2025affected < 2.11.4fixed 2.11.4
A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgradi
- affected < 2.4.1fixed 2.4.1
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
- CVE-2024-4825May 13, 2024affected < 2.7.0fixed 2.7.0
A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
- CVE-2024-2001Feb 29, 2024
A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.
- CVE-2023-41564Sep 8, 2023affected <= 2.6.3
An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.
- CVE-2023-4451Aug 20, 2023affected <= 2.6.3
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4433Aug 19, 2023affected <= 2.6.3
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4432Aug 19, 2023affected <= 2.6.3
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4422Aug 18, 2023affected < 2.6.3fixed 2.6.3
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4395Aug 17, 2023affected <= 2.6.3
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4321Aug 14, 2023affected <= 2.6.2
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.
- CVE-2023-4196Aug 6, 2023affected < 2.6.3fixed 2.6.3
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4195Aug 6, 2023affected < 2.6.3fixed 2.6.3
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-37650Jul 20, 2023affected < 2.6.0fixed 2.6.0
A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.
- CVE-2023-37649Jul 20, 2023affected < 2.6.0fixed 2.6.0
Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.
Page 1 of 2