Cockpit CMS through 2.14.0 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.
History

Tue, 14 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Agentejo
Agentejo cockpit
CPEs cpe:2.3:a:agentejo:cockpit:*:*:*:*:*:*:*:*
Vendors & Products Agentejo
Agentejo cockpit

Wed, 08 Jul 2026 14:15:00 +0000

Type Values Removed Values Added
Description Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations. Cockpit CMS through 2.14.0 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.
Title Cockpit CMS < 364 - Path Traversal Local File Inclusion via index.php Cockpit CMS 2.14.0 - Path Traversal Local File Inclusion via index.php
References

Mon, 06 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 02 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Cockpit-project
Cockpit-project cockpit
Vendors & Products Cockpit-project
Cockpit-project cockpit

Thu, 02 Jul 2026 20:15:00 +0000

Type Values Removed Values Added
Description Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.
Title Cockpit CMS < 364 - Path Traversal Local File Inclusion via index.php
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-07-02T20:04:56.875Z

Updated: 2026-07-14T22:03:09.658Z

Reserved: 2026-06-30T20:20:33.790Z

Link: CVE-2026-58467

cve-icon Vulnrichment

Updated: 2026-07-06T16:22:33.835Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-07-02T20:04:56Z

Links: CVE-2026-58467 - Bugzilla