CVE Catalog

CVE-2026-58467

HighCVSS 7.5
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile — higher than 34% of all known CVEs

Summary

Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.

Risk Assessment

The risk for the organization includes unauthorized access to sensitive configuration files, user data, or source code, and in deployments using the PHP built-in server or specific Nginx configurations – remote code execution via PHP file inclusion, potentially leading to full server compromise.

Recommendation

Immediately upgrade Cockpit CMS to version 364 or later, which contains the fix for this vulnerability. Additionally, avoid using the PHP built-in server in production environments and ensure Nginx configurations include proper path validation rules.

Original NVD description (English source)

Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS