{"url":"http://public2.vulnerablecode.io/api/packages/69214?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.7.0","type":"composer","namespace":"cockpit-hq","name":"cockpit","version":"2.7.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61682?format=json","vulnerability_id":"VCID-6v73-fewm-13h8","summary":"Cockpit: Cockpit: Arbitrary file write via directory traversal in Buckets component","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-38993.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-38993.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-38993","reference_id":"","reference_type":"","scores":[{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31094","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31172","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.3114","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31103","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00124","scoring_system":"epss","scoring_elements":"0.31071","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-38993"},{"reference_url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Cockpit-HQ/Cockpit"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T20:13:30Z/"}],"url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38993","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38993"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2463843","reference_id":"2463843","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2463843"},{"reference_url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/","reference_id":"cockpit-cms-2.13.5-multi-vulns","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T20:13:30Z/"}],"url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/"},{"reference_url":"https://github.com/advisories/GHSA-p46p-7pmj-m34f","reference_id":"GHSA-p46p-7pmj-m34f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p46p-7pmj-m34f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110353?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dg6z-p9kt-zbf6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.14.0"}],"aliases":["CVE-2026-38993","GHSA-p46p-7pmj-m34f"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6v73-fewm-13h8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90187?format=json","vulnerability_id":"VCID-87ah-ev1x-9yam","summary":"Cockpit is vulnerable to arbitrary code execution\nCockpit versions 2.13.5 and earlier are vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-38992","reference_id":"","reference_type":"","scores":[{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29188","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29168","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29155","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29223","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00111","scoring_system":"epss","scoring_elements":"0.29256","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-38992"},{"reference_url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Cockpit-HQ/Cockpit"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-30T13:02:52Z/"}],"url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38992","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38992"},{"reference_url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/","reference_id":"cockpit-cms-2.13.5-multi-vulns","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-30T13:02:52Z/"}],"url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/"},{"reference_url":"https://github.com/advisories/GHSA-fm6c-rhcf-7439","reference_id":"GHSA-fm6c-rhcf-7439","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fm6c-rhcf-7439"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110353?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dg6z-p9kt-zbf6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.14.0"}],"aliases":["CVE-2026-38992","GHSA-fm6c-rhcf-7439"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-87ah-ev1x-9yam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89805?format=json","vulnerability_id":"VCID-gpsr-7f2x-tyda","summary":"Cockpit has NoSQL Injection Through Content Aggregation Pipelines\nA vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6626","reference_id":"","reference_type":"","scores":[{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23373","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23263","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.2326","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23314","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23359","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-6626"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Cockpit-HQ/Cockpit"},{"reference_url":"https://github.com/NicolasPauferro/studiesofnosqli","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:23:30Z/"}],"url":"https://github.com/NicolasPauferro/studiesofnosqli"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6626","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6626"},{"reference_url":"https://vuldb.com/submit/792601","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:23:30Z/"}],"url":"https://vuldb.com/submit/792601"},{"reference_url":"https://vuldb.com/vuln/358261","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:23:30Z/"}],"url":"https://vuldb.com/vuln/358261"},{"reference_url":"https://vuldb.com/vuln/358261/cti","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"},{"value":"6.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T15:23:30Z/"}],"url":"https://vuldb.com/vuln/358261/cti"},{"reference_url":"https://github.com/advisories/GHSA-5pv2-86qj-5jf9","reference_id":"GHSA-5pv2-86qj-5jf9","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5pv2-86qj-5jf9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110353?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dg6z-p9kt-zbf6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.14.0"}],"aliases":["CVE-2026-6626","GHSA-5pv2-86qj-5jf9"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gpsr-7f2x-tyda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47167?format=json","vulnerability_id":"VCID-m49m-kj4s-3bf3","summary":"Cockpit CMS Cross-Site Scripting vulnerability\nA Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2001","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25199","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25087","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25078","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25136","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25186","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-2001"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Cockpit-HQ/Cockpit"},{"reference_url":"https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cockpit-cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T18:52:32Z/"}],"url":"https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cockpit-cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2001","reference_id":"CVE-2024-2001","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2001"},{"reference_url":"https://github.com/advisories/GHSA-q76r-7p4q-mqpw","reference_id":"GHSA-q76r-7p4q-mqpw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q76r-7p4q-mqpw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/721374?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6v73-fewm-13h8"},{"vulnerability":"VCID-87ah-ev1x-9yam"},{"vulnerability":"VCID-gpsr-7f2x-tyda"},{"vulnerability":"VCID-v371-2shu-u7bs"},{"vulnerability":"VCID-xhpg-a1sk-ykg2"},{"vulnerability":"VCID-yyrx-k7wg-bygr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.7.1"}],"aliases":["CVE-2024-2001","GHSA-q76r-7p4q-mqpw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m49m-kj4s-3bf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91777?format=json","vulnerability_id":"VCID-v371-2shu-u7bs","summary":"Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()\n### Impact\n\nThis is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.\n\nAny Cockpit CMS instance running version **2.13.4 or earlier** with API access enabled\nis potentially affected.\n\n**Who is impacted:**\n- Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly\n  accessible or reachable by untrusted users.\n- Attackers in possession of a **valid read-only API key** (the lowest privilege level)\n  can exploit this vulnerability — no admin access is required.\n\n**What an attacker can do:**\n- Inject arbitrary SQL via unsanitized field names in aggregation queries.\n- Bypass the `_state=1` published-content filter to access unpublished or restricted content.\n- Extract unauthorized data from the underlying SQLite content database.\n\n**Confidentiality impact is High.** Integrity and availability are not directly affected\nby this vulnerability.\n\n### Patches\n\nThis vulnerability has been **patched in version 2.13.5**.\n\nAll users running Cockpit CMS version **2.13.4 or earlier** are strongly advised to\nupgrade to **2.13.5 or later** immediately.\n\n- https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5\n\nThe fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()`\nto the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`,\nclosing the injection vector in the Aggregation Optimizer.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31891","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02401","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02342","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02386","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02459","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02453","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31891"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Cockpit-HQ/Cockpit"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:33:48Z/"}],"url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit/security/advisories/GHSA-7x5c-vfhj-9628","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:33:48Z/"}],"url":"https://github.com/Cockpit-HQ/Cockpit/security/advisories/GHSA-7x5c-vfhj-9628"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31891","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31891"},{"reference_url":"https://github.com/advisories/GHSA-7x5c-vfhj-9628","reference_id":"GHSA-7x5c-vfhj-9628","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x5c-vfhj-9628"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114113?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.13.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6v73-fewm-13h8"},{"vulnerability":"VCID-87ah-ev1x-9yam"},{"vulnerability":"VCID-gpsr-7f2x-tyda"},{"vulnerability":"VCID-yyrx-k7wg-bygr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.13.5"}],"aliases":["CVE-2026-31891","GHSA-7x5c-vfhj-9628"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v371-2shu-u7bs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57574?format=json","vulnerability_id":"VCID-xhpg-a1sk-ykg2","summary":"Cockpit - Content Platform vulnerable to XSS through name or email argument names\nA vulnerability was found in Cockpit versions up to 2.11.3. This issue affects some unknown processing instances of the file /system/users/save. The manipulation of the arguments \"name\" or \"email\" leads to cross-site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 will address this issue. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted accordingly. A patch and new release were made available very quickly.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7053","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42375","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42351","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42341","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.4239","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42402","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-7053"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Cockpit-HQ/Cockpit"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit/commit/bdcd5e3bc651c0839c7eea807f3eb6af856dbc76","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-08T14:09:38Z/"}],"url":"https://github.com/Cockpit-HQ/Cockpit/commit/bdcd5e3bc651c0839c7eea807f3eb6af856dbc76"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.11.4","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-08T14:09:38Z/"}],"url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.11.4"},{"reference_url":"https://vuldb.com/?ctiid.314819","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-08T14:09:38Z/"}],"url":"https://vuldb.com/?ctiid.314819"},{"reference_url":"https://vuldb.com/?id.314819","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-08T14:09:38Z/"}],"url":"https://vuldb.com/?id.314819"},{"reference_url":"https://vuldb.com/?submit.605594","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C"},{"value":"3.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-08T14:09:38Z/"}],"url":"https://vuldb.com/?submit.605594"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7053","reference_id":"CVE-2025-7053","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7053"},{"reference_url":"https://github.com/advisories/GHSA-j4rj-fgcq-wmqp","reference_id":"GHSA-j4rj-fgcq-wmqp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j4rj-fgcq-wmqp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85631?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.11.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6v73-fewm-13h8"},{"vulnerability":"VCID-87ah-ev1x-9yam"},{"vulnerability":"VCID-gpsr-7f2x-tyda"},{"vulnerability":"VCID-v371-2shu-u7bs"},{"vulnerability":"VCID-yyrx-k7wg-bygr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.11.4"}],"aliases":["CVE-2025-7053","GHSA-j4rj-fgcq-wmqp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xhpg-a1sk-ykg2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89292?format=json","vulnerability_id":"VCID-yyrx-k7wg-bygr","summary":"Cockpit Vulnerable to Unrestricted Upload of File with Dangerous Type\nCockpit versions 2.13.5 and earlier are affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-38991","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10836","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10855","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10915","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10948","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10956","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-38991"},{"reference_url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Cockpit-HQ/Cockpit"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-29T20:22:57Z/"}],"url":"https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38991","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38991"},{"reference_url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/","reference_id":"cockpit-cms-2.13.5-multi-vulns","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-29T20:22:57Z/"}],"url":"https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/"},{"reference_url":"https://github.com/advisories/GHSA-j2rx-4jg9-79mw","reference_id":"GHSA-j2rx-4jg9-79mw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j2rx-4jg9-79mw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110353?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.14.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dg6z-p9kt-zbf6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.14.0"}],"aliases":["CVE-2026-38991","GHSA-j2rx-4jg9-79mw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yyrx-k7wg-bygr"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54793?format=json","vulnerability_id":"VCID-hfj2-fbh8-hka7","summary":"Cockpit CMS contains an arbitrary file upload vulenrability\nA vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An attacker could upload files to the server, compromising the entire infrastructure.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4825","reference_id":"","reference_type":"","scores":[{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26163","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26062","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26056","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26112","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.26156","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4825"},{"reference_url":"https://github.com/Cockpit-HQ/Cockpit","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Cockpit-HQ/Cockpit"},{"reference_url":"https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-05T16:04:16Z/"}],"url":"https://www.incibe.es/en/incibe-cert/notices/aviso/unrestricted-upload-file-dangerous-type-vulnerability-cockpit-cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4825","reference_id":"CVE-2024-4825","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4825"},{"reference_url":"https://github.com/advisories/GHSA-vpj8-xfqc-jcv9","reference_id":"GHSA-vpj8-xfqc-jcv9","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vpj8-xfqc-jcv9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69214?format=json","purl":"pkg:composer/cockpit-hq/cockpit@2.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6v73-fewm-13h8"},{"vulnerability":"VCID-87ah-ev1x-9yam"},{"vulnerability":"VCID-gpsr-7f2x-tyda"},{"vulnerability":"VCID-m49m-kj4s-3bf3"},{"vulnerability":"VCID-v371-2shu-u7bs"},{"vulnerability":"VCID-xhpg-a1sk-ykg2"},{"vulnerability":"VCID-yyrx-k7wg-bygr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.7.0"}],"aliases":["CVE-2024-4825","GHSA-vpj8-xfqc-jcv9"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hfj2-fbh8-hka7"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/cockpit-hq/cockpit@2.7.0"}