CVE-2026-58467 PUBLISHED

Cockpit CMS < 364 - Path Traversal Local File Inclusion via index.php

Assigner: VulnCheck
Reserved: 30.06.2026 Published: 02.07.2026 Updated: 02.07.2026

Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.2

Product Status

Vendor cockpit-project
Product cockpit
Versions Default: affected
  • affected from 0 to 364 (excl.)

Credits

  • George Chen finder

References

Problem Types

  • Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE