Cockpit Hq/cockpit
by Cockpit Hq
Source repositories
CVEs (20)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-9302 | Cri | 0.63 | 9.1 | 0.11 | May 2, 2018 | SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for… | ||
| CVE-2017-14611 | Cri | 0.59 | 9.1 | 0.02 | Apr 10, 2018 | SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component. | ||
| CVE-2026-34965 | Hig | 0.57 | 8.8 | 0.01 | Apr 29, 2026 | Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can… | ||
| CVE-2018-11471 | Med | 0.35 | 5.4 | 0.01 | May 25, 2018 | Cockpit 0.5.5 has XSS via a collection, form, or region. | ||
| CVE-2026-23695 | Med | 0.28 | 5.4 | 0.00 | May 15, 2026 | Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's… | ||
| CVE-2026-31891 | 0.00 | — | 0.00 | Mar 18, 2026 | Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the… | |||
| CVE-2023-4451 | 0.00 | — | 0.02 | Aug 20, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||
| CVE-2023-4433 | 0.00 | — | 0.00 | Aug 19, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||
| CVE-2023-4432 | 0.00 | — | 0.01 | Aug 19, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||
| CVE-2023-4422 | 0.00 | — | 0.01 | Aug 18, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | |||
| CVE-2023-4395 | 0.00 | — | 0.01 | Aug 17, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||
| CVE-2023-4321 | 0.00 | — | 0.01 | Aug 14, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3. | |||
| CVE-2023-4196 | 0.00 | — | 0.00 | Aug 6, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | |||
| CVE-2023-4195 | 0.00 | — | 0.01 | Aug 6, 2023 | PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | |||
| CVE-2023-1313 | 0.00 | — | 0.01 | Mar 10, 2023 | Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1. | |||
| CVE-2023-1160 | 0.00 | — | 0.00 | Mar 3, 2023 | Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0. | |||
| CVE-2023-0780 | 0.00 | — | 0.00 | Feb 11, 2023 | Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev. | |||
| CVE-2023-0759 | 0.00 | — | 0.00 | Feb 9, 2023 | Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8. | |||
| CVE-2022-2818 | 0.00 | — | 0.01 | Aug 15, 2022 | Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2. | |||
| CVE-2022-2713 | 0.00 | — | 0.01 | Aug 8, 2022 | Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0. |
- risk 0.63cvss 9.1epss 0.11
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for…
- risk 0.59cvss 9.1epss 0.02
SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter, related to use of the discontinued aheinze/fetch_url_contents component.
- risk 0.57cvss 8.8epss 0.01
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can…
- risk 0.35cvss 5.4epss 0.01
Cockpit 0.5.5 has XSS via a collection, form, or region.
- risk 0.28cvss 5.4epss 0.00
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's…
- CVE-2026-31891Mar 18, 2026risk 0.00cvss —epss 0.00
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the…
- CVE-2023-4451Aug 20, 2023risk 0.00cvss —epss 0.02
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4433Aug 19, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4432Aug 19, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4422Aug 18, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4395Aug 17, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4321Aug 14, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.
- CVE-2023-4196Aug 6, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4195Aug 6, 2023risk 0.00cvss —epss 0.01
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-1313Mar 10, 2023risk 0.00cvss —epss 0.01
Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.
- CVE-2023-1160Mar 3, 2023risk 0.00cvss —epss 0.00
Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.
- CVE-2023-0780Feb 11, 2023risk 0.00cvss —epss 0.00
Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev.
- CVE-2023-0759Feb 9, 2023risk 0.00cvss —epss 0.00
Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.
- CVE-2022-2818Aug 15, 2022risk 0.00cvss —epss 0.01
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.
- CVE-2022-2713Aug 8, 2022risk 0.00cvss —epss 0.01
Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0.