Description
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.
Published: 2026-04-29
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cockpit CMS exposes an authenticated remote code execution vulnerability at the /cockpit/collections/save_collection endpoint. Authenticated attackers with collection management privileges can inject arbitrary PHP code via rule parameters; the code is written directly to server‑side PHP files and executed through PHP's include() mechanism. This flaw, identified as CWE‑94, allows an attacker to run arbitrary commands on the underlying server, compromising confidentiality, integrity and availability of the entire application and its host.

Affected Systems

The affected product is Cockpit CMS. The specific affected versions are not listed in the CNA data, so any installed instance that has the /cockpit/collections/save_collection endpoint and collection rule functionality may be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not available, and the flaw is not yet listed in the CISA KEV catalog. An attacker must be authenticated and possess collection‑management privileges, a set of rights that can be granted to a user after login. Once those prerequisites are met, the attacker can supply malicious parameters to the collection rule endpoint, causing the server to execute arbitrary PHP code.

Generated by OpenCVE AI on April 30, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch for Cockpit CMS as soon as it becomes available.
  • Limit collection‑management privileges to trusted administrators and remove or revoke the role from regular users.
  • Disable the creation of custom collection rule parameters or audit existing rules to ensure they contain no unsafe PHP code.

Generated by OpenCVE AI on April 30, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Cockpit-hq
Cockpit-hq cockpit
Vendors & Products Cockpit-hq
Cockpit-hq cockpit

Wed, 29 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.
Title Cockpit CMS Authenticated Remote Code Execution via Collections
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cockpit-hq Cockpit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-01T16:38:49.032Z

Reserved: 2026-03-31T17:58:43.754Z

Link: CVE-2026-34965

cve-icon Vulnrichment

Updated: 2026-05-01T16:38:44.389Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T20:16:29.923

Modified: 2026-04-29T21:22:20.120

Link: CVE-2026-34965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:00:12Z

Weaknesses