cockpit-hq/cockpit
Packagist24 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting cockpit-hq/cockpitpage 1 of 1
- CVE-2022-2818CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.2.22022-08-15
vulnerable: 2.0.0 ... 2.2.1 (8 versions)
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.
- CVE-2023-0759HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.82023-02-09
vulnerable: 2.0.0 ... 2.3.7 (17 versions)
Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8.
- CVE-2023-0780MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.3.92023-02-11
vulnerable: 2.0.0 ... 2.3.8 (18 versions)
Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev.
- CVE-2023-1160MEDIUMCVSS 5.5EG 5.52023-03-03
vulnerable: 2.0.0 ... 2.3.9 (19 versions)
Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit prior to 2.4.0.
- CVE-2023-1313HIGHCVSS 8.8EG 8.8✓ Fixed in 2.4.12023-03-10
vulnerable: 2.0.0 ... 2.4.0 (20 versions)
Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1.
- CVE-2023-37649HIGHCVSS 7.5EG 7.5✓ Fixed in 2.6.02023-07-20
vulnerable: 2.0.0 ... 2.5.2 (24 versions)
Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.
- CVE-2023-37650HIGHCVSS 8.8EG 8.8✓ Fixed in 2.6.02023-07-20
vulnerable: 2.0.0 ... 2.5.2 (24 versions)
A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.
- CVE-2023-41564MEDIUMCVSS 6.1EG 6.12023-09-08
vulnerable: 2.0.0 ... 2.6.3 (28 versions)
An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.
- CVE-2023-4195HIGHCVSS 8.8EG 8.8✓ Fixed in 2.6.32023-08-06
vulnerable: 2.0.0 ... 2.6.2 (27 versions)
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4196MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.6.32023-08-06
vulnerable: 2.0.0 ... 2.6.2 (27 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4321MEDIUMCVSS 6.1EG 8.32023-08-14
vulnerable: 2.0.0 ... 2.6.2 (27 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.
- CVE-2023-4395MEDIUMCVSS 5.4EG 8.12023-08-17
vulnerable: 2.0.0 ... 2.6.3 (28 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4422MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2.6.32023-08-18
vulnerable: 2.0.0 ... 2.6.2 (27 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.
- CVE-2023-4432MEDIUMCVSS 6.1EG 8.32023-08-19
vulnerable: 2.0.0 ... 2.6.3 (28 versions)
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4433MEDIUMCVSS 5.4EG 8.32023-08-19
vulnerable: 2.0.0 ... 2.6.3 (28 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2023-4451MEDIUMCVSS 6.1EG 6.12023-08-20
vulnerable: 2.0.0 ... 2.6.3 (28 versions)
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.
- CVE-2024-2001MEDIUMCVSS 5.5EG 5.52024-02-29
vulnerable: 2.7.0
A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploa…
- CVE-2024-4825CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.02024-05-14
vulnerable: 2.0.0 ... 2.6.3 (28 versions)
A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructu…
- CVE-2025-1025HIGHCVSS 7.5EG 7.5✓ Fixed in 2.4.12025-02-05
vulnerable: 2.0.0 ... 2.4.0 (20 versions)
Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
- CVE-2026-23695MEDIUMCVSS 5.4EG 5.42026-05-15
vulnerable: 2.0.0 ... 2.9.4 (61 versions)
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using …
- CVE-2026-38991HIGHCVSS 8.8EG 8.8✓ Fixed in 2.14.02026-04-29
vulnerable: 2.0.0 ... 2.9.4 (60 versions)
Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary…
- CVE-2026-38992CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.14.02026-04-29
vulnerable: 2.0.0 ... 2.9.4 (60 versions)
Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func…
- CVE-2026-38993MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.14.02026-04-29
vulnerable: 2.0.0 ... 2.9.4 (60 versions)
Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malici…
- CVE-2026-6626MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2.14.02026-04-20
vulnerable: 2.0.0 ... 2.9.4 (60 versions)
A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements…
Check whether cockpit-hq/cockpit is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for cockpit-hq/cockpit CVEs against the assets you own.
Start Free Scan →