DEBIAN-CVE-2026-4802

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-4802
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4802.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-4802
Upstream
  • CVE-2026-4802
Published
2026-05-11T14:16:31.550Z
Modified
2026-06-15T19:06:29.826796842Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

References

Affected packages

Debian:11 / cockpit

Package

Name
cockpit
Purl
pkg:deb/debian/cockpit?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

Other
239-1
243-1
243-2
244-1
248-1
249-1
250-1
251-1~bpo10+1
251-1
251-2
252-1
254-1~bpo10+1
254-1
255-1
256-1~bpo11+1
256-1
257-1~bpo11+1
257-1
258-1
259-1~bpo11+1
259-1
259-2
260-1~bpo11+1
260-1
261-1~bpo11+1
261-1
262-1
263-1
264-1
265-1~bpo11+1
265-1
266-1~bpo11+1
266-1
267-1
269-1
271-1~bpo11+1
271-1
272-1~bpo11+1
272-1
273-1~bpo11+1
273-1
274-1
276-1
277-1
278-1
279-1~bpo11+1
279-1
280-1
282-1~bpo11+1
282-1
283-1~bpo11+1
283-1
284-1~bpo11+1
284-1
285-1~bpo11+1
285-1
286-1~bpo11+1
286-1
287-1~bpo11+1
287-1
289-1
290-1
291-1
292-1
293-1
294-1
295-1
296-1
297-1~bpo12+1
297-1
298-1
299-1~bpo12+1
299-1
300-1
301-1~bpo12+1
301-1
302-1
303-1~bpo12+1
303-1
304-1
305-1~bpo12+1
305-1
306-1~bpo12+1
306-1
307-1~bpo12+1
307-1
308-1~bpo12+1
308-1
309-1~bpo12+1
309-1
310-1
311-1~bpo12+1
311-1
312-1
313-1
314-1
316-1
317-1
317-2
317-3
317-4
317-5
318-1
318-2
318-3
318-4~bpo12+1
318-4
319-1~bpo12+1
319-1
320-1~bpo12+1
320-1
321-1
322-1~bpo12+1
322-1
323-1~bpo12+1
323-1
324-1~bpo12+1
324-1
325-1~bpo12+1
325-1
326-1
327-1~bpo12+1
327-1
328-1
329-1~bpo12+1
329-1
330-1
330-2
330-3
330-4
331-1~bpo12+1
331-1
332-1
333-1~bpo12+1
333-1
334-1
335-1
335-2~bpo12+1
335-2
336-1
337-1~bpo12+1
337-1
338-1
339-1
340-1
342-1
343-1
345-1~bpo13+1
345-1
346-1~bpo13+1
346-1
348-1~bpo13+1
348-1
350-1~bpo13+1
350-1
352-1~bpo13+1
352-1
354-1~bpo13+1
354-1
355-1~bpo13+1
355-1
356-1~bpo13+1
356-1
358-1~bpo13+1
358-1
360-1~bpo13+1
360-1
362-1~bpo13+1
362-1
276.*
276.1-1~bpo11+1
276.1-1
288.*
288.1-1
294.*
294.1-1
300.*
300.1-1~bpo12+1
300.1-1
310.*
310.1-1~bpo12+1
310.1-1
341.*
341.1-1
353.*
353.1-1~bpo13+1
353.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4802.json"

Debian:12 / cockpit

Package

Name
cockpit
Purl
pkg:deb/debian/cockpit?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

Other
287-1
289-1
290-1
291-1
292-1
293-1
294-1
295-1
296-1
297-1~bpo12+1
297-1
298-1
299-1~bpo12+1
299-1
300-1
301-1~bpo12+1
301-1
302-1
303-1~bpo12+1
303-1
304-1
305-1~bpo12+1
305-1
306-1~bpo12+1
306-1
307-1~bpo12+1
307-1
308-1~bpo12+1
308-1
309-1~bpo12+1
309-1
310-1
311-1~bpo12+1
311-1
312-1
313-1
314-1
316-1
317-1
317-2
317-3
317-4
317-5
318-1
318-2
318-3
318-4~bpo12+1
318-4
319-1~bpo12+1
319-1
320-1~bpo12+1
320-1
321-1
322-1~bpo12+1
322-1
323-1~bpo12+1
323-1
324-1~bpo12+1
324-1
325-1~bpo12+1
325-1
326-1
327-1~bpo12+1
327-1
328-1
329-1~bpo12+1
329-1
330-1
330-2
330-3
330-4
331-1~bpo12+1
331-1
332-1
333-1~bpo12+1
333-1
334-1
335-1
335-2~bpo12+1
335-2
336-1
337-1~bpo12+1
337-1
338-1
339-1
340-1
342-1
343-1
345-1~bpo13+1
345-1
346-1~bpo13+1
346-1
348-1~bpo13+1
348-1
350-1~bpo13+1
350-1
352-1~bpo13+1
352-1
354-1~bpo13+1
354-1
355-1~bpo13+1
355-1
356-1~bpo13+1
356-1
358-1~bpo13+1
358-1
360-1~bpo13+1
360-1
362-1~bpo13+1
362-1
287.*
287.1-0+deb12u1
287.1-0+deb12u2
287.1-0+deb12u3
288.*
288.1-1
294.*
294.1-1
300.*
300.1-1~bpo12+1
300.1-1
310.*
310.1-1~bpo12+1
310.1-1
341.*
341.1-1
353.*
353.1-1~bpo13+1
353.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4802.json"

Debian:13 / cockpit

Package

Name
cockpit
Purl
pkg:deb/debian/cockpit?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

Other
337-1
337-1+deb13u1
338-1
339-1
340-1
342-1
343-1
345-1~bpo13+1
345-1
346-1~bpo13+1
346-1
348-1~bpo13+1
348-1
350-1~bpo13+1
350-1
352-1~bpo13+1
352-1
354-1~bpo13+1
354-1
355-1~bpo13+1
355-1
356-1~bpo13+1
356-1
358-1~bpo13+1
358-1
360-1~bpo13+1
360-1
362-1~bpo13+1
362-1
341.*
341.1-1
353.*
353.1-1~bpo13+1
353.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4802.json"

Debian:14 / cockpit

Package

Name
cockpit
Purl
pkg:deb/debian/cockpit?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
362-1

Affected versions

Other
337-1
338-1
339-1
340-1
342-1
343-1
345-1~bpo13+1
345-1
346-1~bpo13+1
346-1
348-1~bpo13+1
348-1
350-1~bpo13+1
350-1
352-1~bpo13+1
352-1
354-1~bpo13+1
354-1
355-1~bpo13+1
355-1
356-1~bpo13+1
356-1
358-1~bpo13+1
358-1
360-1~bpo13+1
360-1
362-1~bpo13+1
341.*
341.1-1
353.*
353.1-1~bpo13+1
353.1-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4802.json"