CVE-2020-35846

CRITICAL NUCLEI

Agentejo Cockpit < 0.11.2 - NoSQL Injection via Auth Controller Check Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-35846. PoCs published by JohnHammond, 0z09e, h00die, Nikita Petrov, including Metasploit module exploits/multi/http/cockpit_cms_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2020-35846 to leak usernames from Cockpit 0.11.1 via a NoSQL injection vulnerability. The script automates the process of retrieving a CSFR token and sending a crafted request to trigger the vulnerability.

Description

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

Exploits (3)

nomisec WORKING POC 15 stars
by JohnHammond · poc
https://github.com/JohnHammond/CVE-2020-35846

This repository contains a functional Python script that exploits CVE-2020-35846 to leak usernames from Cockpit 0.11.1 via a NoSQL injection vulnerability. The script automates the process of retrieving a CSFR token and sending a crafted request to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cockpit 0.11.1
No auth needed
Prerequisites: Network access to the target Cockpit instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by 0z09e · poc
https://github.com/0z09e/CVE-2020-35846

This repository contains a functional exploit for CVE-2020-35846, which chains a NoSQL injection vulnerability in Cockpit CMS to achieve remote code execution by dumping user information, resetting passwords, and deploying a PHP web shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cockpit CMS
No auth needed
Prerequisites: Target running vulnerable Cockpit CMS · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
by h00die, Nikita Petrov · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cockpit_cms_rce.rb

This Metasploit module exploits a NoSQL injection vulnerability (CVE-2020-35846) in Cockpit CMS to enumerate users, followed by a password reset token extraction (CVE-2020-35847) to take over an account, and finally achieves remote code execution via command injection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cockpit CMS 0.10.0 - 0.11.1
No auth needed
Prerequisites: Network access to the target · Cockpit CMS instance running a vulnerable version
devstral-2 · analyzed Apr 30, 2026 Full analysis →

Nuclei Templates (1)

Agentejo Cockpit < 0.11.2 - NoSQL Injection
CRITICALby dwisiswant0
Shodan: http.favicon.hash:688609340 || http.html:"cockpit"
FOFA: icon_hash=688609340 || body="cockpit"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9393
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
agentejo/cockpit < 0.11.2
Published Dec 30, 2020
Tracked Since Feb 18, 2026