Agentejo Cockpit vulnerabilities

CVE-2026-31891 [MEDIUM] CWE-89 CVE-2026-31891: Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users

CVE-2025-7053 [MEDIUM] CWE-79 CVE-2025-7053: A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affe A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 is able to address this issue. The patch is named bdc

CVE-2024-6126 [LOW] CVE-2024-6126: A flaw was found in the cockpit package A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.

CVE-2024-4825 [CRITICAL] CWE-434 CVE-2024-4825: A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary fil A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.

CVE-2024-2947 [HIGH] CVE-2024-2947: A flaw was found in Cockpit A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.

CVE-2024-2001 [MEDIUM] CWE-79 CVE-2024-2001: A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability coul A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

CVE-2023-41564 [MEDIUM] CWE-434 CVE-2023-41564: An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows att An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.

CVE-2023-4451 [MEDIUM] CWE-79 CVE-2023-4451: Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4433 [MEDIUM] CWE-79 CVE-2023-4433: Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4432 [MEDIUM] CWE-79 CVE-2023-4432: Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4422 [MEDIUM] CWE-79 CVE-2023-4422: Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

CVE-2023-4395 [MEDIUM] CWE-79 CVE-2023-4395: Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4321 [MEDIUM] CWE-79 CVE-2023-4321: Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3. Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.

CVE-2023-4195 [HIGH] CWE-98 CVE-2023-4195: PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

CVE-2023-4196 [MEDIUM] CWE-79 CVE-2023-4196: Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

CVE-2023-37649 [HIGH] CVE-2023-37649: Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.

CVE-2023-37650 [HIGH] CWE-352 CVE-2023-37650: A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to ex A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

CVE-2023-1313 [HIGH] CWE-434 CVE-2023-1313: Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4 Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.

CVE-2023-1160 [MEDIUM] CWE-1103 CVE-2023-1160: Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2. Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.

CVE-2021-32857 [MEDIUM] CWE-79 CVE-2021-32857: Cockpit is a content management system that allows addition of content management functionality to a Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.