CVE-2026-4802

HIGH

Cockpit: cockpit: arbitrary command execution via crafted links in system logs ui

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-4802. PoCs published by hakaioffsec, fearlessresponsesolution.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-4802, a command injection vulnerability in Cockpit's system logs UI. The exploit leverages unsanitized user input in the `loadServiceFilters()` function to execute arbitrary commands via shell metacharacters.

Description

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

Exploits (2)

nomisec WORKING POC 1 stars
by hakaioffsec · poc
https://github.com/hakaioffsec/CVE-2026-4802

This repository contains a functional exploit for CVE-2026-4802, a command injection vulnerability in Cockpit's system logs UI. The exploit leverages unsanitized user input in the `loadServiceFilters()` function to execute arbitrary commands via shell metacharacters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cockpit (unpatched versions with `pkg/systemd/logsJournal.jsx`)
Auth required
Prerequisites: valid credentials for Cockpit · network access to the Cockpit web interface
mistral-large-3 · analyzed May 14, 2026 Full analysis →
github WORKING POC
by fearlessresponsesolution · tsqlpoc
https://github.com/fearlessresponsesolution/cve-pocs/tree/master/pocs/CVE-2026-4802

This repository contains a functional exploit for CVE-2026-4802, demonstrating remote code execution in Cockpit via command injection in the `loadServiceFilters()` function. The PoC includes authentication, command execution, and reverse shell capabilities.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cockpit (unpatched versions with `pkg/systemd/logsJournal.jsx`)
Auth required
Prerequisites: valid Cockpit credentials · network access to the Cockpit web interface
mistral-large-3 · analyzed May 21, 2026 Full analysis →

References (15)

Core 15
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21394
https://access.redhat.com/errata/RHSA-2026:21394
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21395
https://access.redhat.com/errata/RHSA-2026:21395
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21468
https://access.redhat.com/errata/RHSA-2026:21468
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21515
https://access.redhat.com/errata/RHSA-2026:21515
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21516
https://access.redhat.com/errata/RHSA-2026:21516
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21647
https://access.redhat.com/errata/RHSA-2026:21647
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21676
https://access.redhat.com/errata/RHSA-2026:21676
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21700
https://access.redhat.com/errata/RHSA-2026:21700
Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-4802
Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat
RHBZ#2451155
https://bugzilla.redhat.com/show_bug.cgi?id=2451155
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21390
https://access.redhat.com/errata/RHSA-2026:21390
Vendor Advisory vendor-advisory x_refsource_redhat
RHSA-2026:21392
https://access.redhat.com/errata/RHSA-2026:21392

Scores

CVSS v3 8.0
EPSS 0.0102
EPSS Percentile 59.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (17)
Red Hat/Red Hat Enterprise Linux 10
Red Hat/Red Hat Enterprise Linux 10 0:356.2-1.el10_2
Red Hat/Red Hat Enterprise Linux 10.0 Extended Update Support 0:334.2-1.el10_0
Red Hat/Red Hat Enterprise Linux 7
Red Hat/Red Hat Enterprise Linux 8
Red Hat/Red Hat Enterprise Linux 8 0:310.8-1.el8_10
Red Hat/Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support 0:264.3-1.el8_6
Red Hat/Red Hat Enterprise Linux 8.6 Telecommunications Update Service 0:264.3-1.el8_6
Red Hat/Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions 0:264.3-1.el8_6
Red Hat/Red Hat Enterprise Linux 8.8 Telecommunications Update Service 0:286.2-1.el8_8
... and 7 more
Published May 11, 2026
Tracked Since May 11, 2026