GHSA-7x5c-vfhj-9628

Suggest an improvement
Source
https://github.com/advisories/GHSA-7x5c-vfhj-9628
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7x5c-vfhj-9628/GHSA-7x5c-vfhj-9628.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7x5c-vfhj-9628
Aliases
Published
2026-03-17T17:07:41Z
Modified
2026-03-19T19:17:29.490977Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()
Details

Impact

This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.

Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected.

Who is impacted: - Any deployment where the /api/content/aggregate/{model} endpoint is publicly accessible or reachable by untrusted users. - Attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required.

What an attacker can do: - Inject arbitrary SQL via unsanitized field names in aggregation queries. - Bypass the _state=1 published-content filter to access unpublished or restricted content. - Extract unauthorized data from the underlying SQLite content database.

Confidentiality impact is High. Integrity and availability are not directly affected by this vulnerability.

Patches

This vulnerability has been patched in version 2.13.5.

All users running Cockpit CMS version 2.13.4 or earlier are strongly advised to upgrade to 2.13.5 or later immediately.

  • https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5

The fix applies the same field-name sanitization introduced in v2.13.3 for toJsonPath() to the toJsonExtractRaw() method in lib/MongoLite/Aggregation/Optimizer.php, closing the injection vector in the Aggregation Optimizer.

Database specific 
{
    "cwe_ids": [
        "CWE-89"
    ],
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2026-03-17T17:07:41Z",
    "nvd_published_at": "2026-03-18T04:17:19Z"
}
References

Affected packages

Packagist / cockpit-hq/cockpit

Package

Name
cockpit-hq/cockpit
Purl
pkg:composer/cockpit-hq/cockpit

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.13.5

Affected versions

2.*
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.10.0
2.10.1
2.10.2
2.10.3
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.12.0
2.12.1
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7x5c-vfhj-9628/GHSA-7x5c-vfhj-9628.json"