A flaw in Cockpit’s Bucket component allows an authenticated attacker to rename arbitrary files with a specially crafted file name that bypasses the component’s extension filter. The renaming can add a .php extension, causing the server to execute the file and granting the attacker arbitrary code execution on the underlying system. This weakness results from improper input validation during filename handling. The impact includes potential compromise of confidentiality, integrity, and availability of the affected installation. The likely attack vector is an authenticated session with file‑management privileges; the CVE description does not state that attackers can upload files, only rename existing ones.

Any installation of Cockpit CMS version 2.13.5 or earlier is impacted. The issue originates in the Bucket module, which is part of the core component of Cockpit. End‑users who operate or host such instances should review their configuration for possible exploitation.

Because the flaw requires authentication, an attacker must have valid credentials. Once authenticated, the attacker can rename any file to a .php extension, causing the server to execute the file and granting full server privileges. The CVSS score is 8.8 and the EPSS score is <1%, indicating a low but nonzero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, and no official workaround is published. The likely attack vector is an authenticated session with file‑management privileges, providing potential for lateral movement and persistence after code execution.