Skip to content
CVSS 8.8 · HIGH

CVE-2026-34965

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

View on NVD

Analysis

Cockpit CMS allows authenticated users with specific collection management privileges to execute arbitrary PHP code on the server. While the impact of remote code execution is high, the requirement for authenticated access and the software's niche status mean it does not meet the threshold for the general community feed.

Severity

Score: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-94

EPSS

Probability of exploitation (next 30 days): 0.0043 (0.4%)
Percentile: 62.6%
EPSS: 2026-05-06

Technical description

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

Published: 4/29/2026, 8:16:29 PM
Last modified: 4/29/2026, 9:22:20 PM

References

HomeEventsBlogResourcesTeam