CVE-2026-4802

HIGH

Cockpit: cockpit: arbitrary command execution via crafted links in system logs ui

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-4802. PoCs published by hakaioffsec, fearlessresponsesolution.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-4802, a command injection vulnerability in Cockpit's system logs UI. The exploit leverages unsanitized user input in the `loadServiceFilters()` function to execute arbitrary commands via shell metacharacters.

Description

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

Exploits (2)

nomisec WORKING POC 1 stars

by hakaioffsec · poc

https://github.com/hakaioffsec/CVE-2026-4802

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-4802, a command injection vulnerability in Cockpit's system logs UI. The exploit leverages unsanitized user input in the `loadServiceFilters()` function to execute arbitrary commands via shell metacharacters.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cockpit (unpatched versions with `pkg/systemd/logsJournal.jsx`)

Auth required

Prerequisites: valid credentials for Cockpit · network access to the Cockpit web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 14, 2026 Full analysis →

github WORKING POC

by fearlessresponsesolution · tsqlpoc

https://github.com/fearlessresponsesolution/cve-pocs/tree/master/pocs/CVE-2026-4802

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-4802, demonstrating remote code execution in Cockpit via command injection in the `loadServiceFilters()` function. The PoC includes authentication, command execution, and reverse shell capabilities.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cockpit (unpatched versions with `pkg/systemd/logsJournal.jsx`)

Auth required

Prerequisites: valid Cockpit credentials · network access to the Cockpit web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 21, 2026 Full analysis →

References (4)

Core 4

Core References

Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2026-4802

Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat

RHBZ#2451155

https://bugzilla.redhat.com/show_bug.cgi?id=2451155

https://github.com/cockpit-project/cockpit/blob/e204cd130/pkg/systemd/logsJournal.jsx#L206-L210

View Writeup ZIP pw:eip

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/20/19

Scores

CVSS v3 8.0

EPSS 0.0020

EPSS Percentile 41.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (4)

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

Published May 11, 2026

Tracked Since May 11, 2026