Cockpit-Hq Cockpit vulnerabilities
20 known vulnerabilities affecting cockpit-hq/cockpit.
Total CVEs
20
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH11MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2026-31891MEDIUMCVSS 6.5fixed in 2.13.52026-03-18
CVE-2026-31891 [MEDIUM] CWE-89 CVE-2026-31891: Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users
cvelistv5ghsanvdosv
CVE-2025-7053MEDIUM≥ 0, < 2.11.42025-07-04
CVE-2025-7053 [MEDIUM] CWE-79 Cockpit - Content Platform vulnerable to XSS through name or email argument names
Cockpit - Content Platform vulnerable to XSS through name or email argument names
A vulnerability was found in Cockpit versions up to 2.11.3. This issue affects some unknown processing instances of the file /system/users/save. The manipulation of the arguments "name" or "email" leads to cross-site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 will addres
ghsaosv
CVE-2025-1025HIGHCVSS 7.7PoCfixed in 2.4.12025-02-05
CVE-2025-1025 [HIGH] CWE-434 CVE-2025-1025: Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload wher
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
cvelistv5ghsanvdosv
CVE-2024-4825CRITICAL≥ 0, < 2.7.02024-05-14
CVE-2024-4825 [CRITICAL] CWE-434 Cockpit CMS contains an arbitrary file upload vulenrability
Cockpit CMS contains an arbitrary file upload vulenrability
A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.
ghsaosv
CVE-2023-41564MEDIUM≥ 0, ≤ 2.6.32023-09-09
CVE-2023-41564 [MEDIUM] CWE-434 Cockpit CMS arbitrary file upload vulnerability
Cockpit CMS arbitrary file upload vulnerability
An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted `.shtml` file.
ghsaosv
CVE-2023-4451MEDIUMPoC≥ 0, ≤ 2.6.32023-08-20
CVE-2023-4451 [MEDIUM] CWE-79 Cockpit Cross-site Scripting vulnerability
Cockpit Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 30609466c817e39f9de1871559603e93cd4d0d0c and anticipated to be part of version 2.6.4.
ghsaosv
CVE-2023-4432HIGH≥ 0, ≤ 2.6.32023-08-19
CVE-2023-4432 [HIGH] CWE-79 Cockpit Cross-site Scripting vulnerability
Cockpit Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 2a93d391fbd2dd9e730f65d43b29beb65903d195 and anticipated to be part of version 2.6.4.
ghsaosv
CVE-2023-4433HIGH≥ 0, ≤ 2.6.32023-08-19
CVE-2023-4433 [HIGH] CWE-79 Cockpit Cross-site Scripting vulnerability
Cockpit Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 36d1d4d256cbbab028342ba10cc493e5c119172c and anticipated to be part of version 2.6.4.
ghsaosv
CVE-2023-4422MEDIUM≥ 0, < 2.6.32023-08-18
CVE-2023-4422 [MEDIUM] CWE-79 Cockpit Cross-site Scripting vulnerability
Cockpit Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
ghsaosv
CVE-2023-4395HIGH≥ 0, ≤ 2.6.32023-08-17
CVE-2023-4395 [HIGH] CWE-79 Cockpit Cross-site Scripting vulnerability
Cockpit Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit 2.6.3 and prior. A patch is available at commit 36d1d4d256cbbab028342ba10cc493e5c119172c and anticipated to be part of version 2.6.4.
ghsaosv
CVE-2023-4321HIGH≥ 0, ≤ 2.6.22023-08-14
CVE-2023-4321 [HIGH] CWE-79 Cockpit Cross-site Scripting vulnerability
Cockpit Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit 2.6.2 and prior. A patch is available at commit 34ab31ee9362da51b9709e178469dbffd7717249.
ghsaosv
CVE-2023-4195CRITICAL≥ 0, < 2.6.32023-08-06
CVE-2023-4195 [CRITICAL] CWE-98 Cockpit PHP Remote File Inclusion vulnerability
Cockpit PHP Remote File Inclusion vulnerability
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. Users may upload php files through the system file upload utility to obtain remote code execution.
ghsaosv
CVE-2023-4196HIGH≥ 0, < 2.6.32023-08-06
CVE-2023-4196 [HIGH] CWE-79 Cockpit Cross-site Scripting vulnerability
Cockpit Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. For any role that has permission to execute function assets, an attacker can upload a html file and that leads to XSS.
ghsaosv
CVE-2023-37650HIGH≥ 0, < 2.6.02023-07-20
CVE-2023-37650 [HIGH] CWE-352 Cockpit CMS Cross-Site Request Forgery vulnerability
Cockpit CMS Cross-Site Request Forgery vulnerability
A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.
ghsaosv
CVE-2023-37649HIGH≥ 0, < 2.6.02023-07-20
CVE-2023-37649 [HIGH] Cockpit CMS vulnerable to incorrect access control
Cockpit CMS vulnerable to incorrect access control
Incorrect access control in the component `/models/Content` of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.
ghsaosv
CVE-2023-1313HIGH≥ 0, < 2.4.12023-03-10
CVE-2023-1313 [HIGH] CWE-434 cockpit-hq/cockpit is vulnerable to unrestricted file uploads
cockpit-hq/cockpit is vulnerable to unrestricted file uploads
Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.
ghsaosv
CVE-2023-1160MEDIUM≥ 0, ≤ 2.3.92023-03-03
CVE-2023-1160 [MEDIUM] CWE-1103 Cockpit Uses Platform-Dependent Third Party Components
Cockpit Uses Platform-Dependent Third Party Components
Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit 2.3.9 and prior. A patch is available and anticipated to be part of version 2.4.0.
ghsaosv
CVE-2023-0780MEDIUM≥ 0, < 2.3.92023-02-11
CVE-2023-0780 [MEDIUM] CWE-1021 Improper Restriction of Rendered UI Layers or Frames in cockpit-hq/cockpit
Improper Restriction of Rendered UI Layers or Frames in cockpit-hq/cockpit
Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9.
ghsaosv
CVE-2023-0759HIGH≥ 0, < 2.3.82023-02-09
CVE-2023-0759 [HIGH] CWE-268 privilege chaining in cockpit-hq/cockpit
privilege chaining in cockpit-hq/cockpit
Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.
ghsaosv
CVE-2022-2818HIGH≥ 0, < 2.2.22022-08-16
CVE-2022-2818 [HIGH] CWE-212 Cockpit Content Platform vulnerable to 2FA bypass
Cockpit Content Platform vulnerable to 2FA bypass
Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the `develop` branch and is expected to be part of version 2.2.2.
ghsaosv