GHSA-fm6c-rhcf-7439
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fm6c-rhcf-7439
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-fm6c-rhcf-7439/GHSA-fm6c-rhcf-7439.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fm6c-rhcf-7439
- Aliases
-
- CVE-2026-38992
- Published
- 2026-04-29T15:30:39Z
- Modified
- 2026-05-06T23:05:56.844144Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Cockpit is vulnerable to arbitrary code execution
- Details
-
Cockpit versions 2.13.5 and earlier are vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.
- Database specific
{ "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2026-05-06T22:57:15Z", "nvd_published_at": "2026-04-29T15:16:05Z", "severity": "CRITICAL" }- References
Affected packages
Packagist / cockpit-hq/cockpit
Package
- Name
- cockpit-hq/cockpit
- Purl
- pkg:composer/cockpit-hq/cockpit
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.14.0
Affected versions
2.*
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.10.0
2.10.1
2.10.2
2.10.3
2.11.0
2.11.1
2.11.2
2.11.3
2.11.4
2.12.0
2.12.1
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5