CVE-2026-24892

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24892

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24892.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24892

Aliases

GHSA-g83p-vvjm-g39x

Published

2026-02-20T20:55:11.981Z

Modified

2026-03-01T02:57:03.488197Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

openITCOCKPIT has Unsafe Deserialization in openITCOCKPIT Changelog Handling

Details

openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of changelog entries. Serialized changelog data derived from attacker-influenced application state is unserialized without restricting allowed classes. Although no current application endpoint was found to introduce PHP objects into this data path, the presence of an unrestricted unserialize() call constitutes a latent PHP object injection vulnerability. If future code changes, plugins, or refactors introduce object values into this path, the vulnerability could become immediately exploitable with severe impact, including potential remote code execution.

Database specific

{
    "cwe_ids": [
        "CWE-502"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24892.json"
}

References

Affected packages

Git / github.com/openitcockpit/openitcockpit

Affected ranges

Type: GIT
Repo: https://github.com/openitcockpit/openitcockpit
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f692d13a24fa625b3afc990fb8972fe1f3cb0864

Affected versions

openITCOCKPIT-3.*

openITCOCKPIT-3.0.10

openITCOCKPIT-3.0.10-10

openITCOCKPIT-3.0.10-12

openITCOCKPIT-3.0.10-13

openITCOCKPIT-3.0.10-14

openITCOCKPIT-3.0.10-15

openITCOCKPIT-3.0.10-16

openITCOCKPIT-3.0.10-4

openITCOCKPIT-3.0.10-5

openITCOCKPIT-3.0.10-6

openITCOCKPIT-3.0.10-8

openITCOCKPIT-3.0.11

openITCOCKPIT-3.0.11-3

openITCOCKPIT-3.0.11-4

openITCOCKPIT-3.0.11-6

openITCOCKPIT-3.0.11-7

openITCOCKPIT-3.0.11-8

openITCOCKPIT-3.0.4

openITCOCKPIT-3.0.6-1

openITCOCKPIT-3.0.7

openITCOCKPIT-3.0.8

openITCOCKPIT-3.0.8-2

openITCOCKPIT-3.0.9

openITCOCKPIT-3.1.0

openITCOCKPIT-3.1.1

openITCOCKPIT-3.1.5

openITCOCKPIT-3.2.0

openITCOCKPIT-3.3.0

openITCOCKPIT-3.3.0-3

openITCOCKPIT-3.4.2

openITCOCKPIT-3.4.3

openITCOCKPIT-3.5.0

openITCOCKPIT-3.6.0

openITCOCKPIT-3.6.1

openITCOCKPIT-3.6.1-2

openITCOCKPIT-3.7.1

openITCOCKPIT-3.7.2

openITCOCKPIT-4.*

openITCOCKPIT-4.0.4

openITCOCKPIT-4.0.4-1

openITCOCKPIT-4.0.5

openITCOCKPIT-4.1.0

openITCOCKPIT-4.1.1

openITCOCKPIT-4.1.2

openITCOCKPIT-4.1.3

openITCOCKPIT-4.1.4

openITCOCKPIT-4.2.1

openITCOCKPIT-4.2.2

openITCOCKPIT-4.2.3

openITCOCKPIT-4.3.0

openITCOCKPIT-4.3.1

openITCOCKPIT-4.3.2

openITCOCKPIT-4.3.3

openITCOCKPIT-4.4.0

openITCOCKPIT-4.4.1

openITCOCKPIT-4.5.0

openITCOCKPIT-4.5.1

openITCOCKPIT-4.5.2

openITCOCKPIT-4.5.3

openITCOCKPIT-4.5.4

openITCOCKPIT-4.5.5

openITCOCKPIT-4.6.0

openITCOCKPIT-4.6.1

openITCOCKPIT-4.6.10

openITCOCKPIT-4.6.2

openITCOCKPIT-4.6.3

openITCOCKPIT-4.6.4

openITCOCKPIT-4.6.5

openITCOCKPIT-4.6.6

openITCOCKPIT-4.6.7

openITCOCKPIT-4.6.8

openITCOCKPIT-4.6.9

openITCOCKPIT-4.7.0

openITCOCKPIT-4.7.1

openITCOCKPIT-4.8.0

openITCOCKPIT-4.8.1

openITCOCKPIT-4.8.2

openITCOCKPIT-4.8.3

openITCOCKPIT-4.8.4

openITCOCKPIT-4.8.5

openITCOCKPIT-4.8.6

openITCOCKPIT-4.8.7

openITCOCKPIT-5.*

openITCOCKPIT-5.0.0

openITCOCKPIT-5.0.1

openITCOCKPIT-5.0.2

openITCOCKPIT-5.1.0

openITCOCKPIT-5.1.1

openITCOCKPIT-5.1.2

openITCOCKPIT-5.2.0

openITCOCKPIT-5.3.0

openITCOCKPIT-5.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24892.json"