CVE-2026-34965
HIGHCockpit CMS Authenticated Remote Code Execution via Collections
Title source: cnaDescription
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.
References (4)
Core 4
Core References
Product product
https://github.com/agentejo/cockpit
Exploit exploit
technical-description
https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90
Third Party Advisory third-party-advisory
https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections
Scores
CVSS v3
8.8
EPSS
0.0083
EPSS Percentile
52.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
Cockpit/Cockpit CMS
< 494765e
Published
Apr 29, 2026
Tracked Since
Apr 30, 2026