CVE-2026-6626

MEDIUM

Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection

Title source: cna

Description

A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry vdb-entry

VDB-358261 | Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection

https://vuldb.com/vuln/358261

Signature, Permissions Required signature permissions-required

VDB-358261 | CTI Indicators (IOB, IOC)

https://vuldb.com/vuln/358261/cti

Third Party Advisory third-party-advisory

Submit #792601 | Cockpit-HQ Cockpit CMS 2.13.5 Injection

https://vuldb.com/submit/792601

Exploit exploit

https://github.com/NicolasPauferro/studiesofnosqli

View Exploit ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0023

EPSS Percentile 13.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-943

Status published

Products (7)

cockpit-hq/cockpit 0 - 2.14.0Packagist

Cockpit-HQ/Cockpit 2.13.0

Cockpit-HQ/Cockpit 2.13.1

Cockpit-HQ/Cockpit 2.13.2

Cockpit-HQ/Cockpit 2.13.3

Cockpit-HQ/Cockpit 2.13.4

Cockpit-HQ/Cockpit 2.13.5

Published Apr 20, 2026

Tracked Since Apr 20, 2026