CVE-2026-38993
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
Cockpit: Cockpit: Arbitrary file write via directory traversal in Buckets component
Additional References
- https://access.redhat.com/security/cve/CVE-2026-38993
- https://bugzilla.redhat.com/show_bug.cgi?id=2463843
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-38993.json
References
- https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0
- https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.