CVE-2026-38992

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.

Vulnerability Details

Published Date

April 29, 2026

Last Modified

April 30, 2026

CWE ID

CWE-94

Source

NVD

External References

https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/
https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0

CVE-2026-38992

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment