A flaw in Cockpit’s Bucket component allows an attacker who has authenticated access to upload or rename arbitrarily named files. The function responsible for checking a file’s extension can be bypassed by a specially crafted file name, permitting the attacker to attach a .php extension. Once renamed, the server executes the file, giving the attacker the ability to run arbitrary code on the underlying system. The weakness arises from improper input validation during filename handling, creating an opportunity to alter the configuration of the web application’s file‑handling logic. This vulnerability can compromise confidentiality, integrity, and availability of the affected installation.

Any installation of Cockpit CMS version 2.13.5 or earlier is impacted. The issue originates in the Bucket module, which is part of the core component of Cockpit. End‑users who operate or host such instances should review their configuration for possible exploitation.

Because the flaw requires authentication, an attacker must have valid credentials, but once authenticated, the attacker can rename any file and trigger PHP execution with full server privileges. No CVSS or EPSS score is publicly available, but the lack of an exploit because of the authentication requirement does not reduce the severity of the damage. The vulnerability is not listed in the CISA KEV catalog, and no official workaround is published. The recommended attack vector is an authenticated session with file management privileges, with the potential for lateral movement and persistence after code execution.