CVE-2026-38991HIGH 8.8EPSS p29.2%

CVE-2026-38991CVE-2026-38991

Description

Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.2% · 2026-06-19T12:03:05Z
Published2026-04-29
Last modified2026-04-29

Underlying weaknesses· 1

CWE-434

References

  1. https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/
  2. https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0
  3. https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-38992
CVE
CVE-2026-34965
CVE
CVE-2025-46001
CVE
CVE-2025-65473
CVE
CVE-2026-48907
CVE
CVE-2026-48906
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.