CVE-2026-31891SQL Injection in Cockpit

CWE-89SQL Injection6 documents5 sources
Severity
6.5MEDIUMNVD
CNA7.7
EPSS
0.0%
top 98.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cockpit-hq CockpitAgentejo Cockpit
Timeline
PublishedMar 18

Description

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users may be vulnerable, and attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDagentejo/cockpit< 2.13.5
CVEListV5cockpit-hq/cockpit< 2.13.5
Packagistcockpit-hq/cockpit< 2.13.5

Patches

Patch: github.com

🔴Vulnerability Details

4
CVEList
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()2026-03-18
OSV
CVE-2026-31891: Cockpit is a headless content management system2026-03-18
GHSA
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()2026-03-17
OSV
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()2026-03-17

🕵️Threat Intelligence

1
Wiz
CVE-2026-31891 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-31891 — SQL Injection in Cockpit-hq Cockpit | cvebase