Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

With package: cockpit

Found 1 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-58467
8.2 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): Present (P)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): Present (P)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
created 1 week, 6 days ago Activity log
  • Created suggestion
Cockpit CMS < 364 - Path Traversal Local File Inclusion via index.php

Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.

References

Affected products

cockpit
  • <364

Matching in nixpkgs

pkgs.cockpit

Web-based graphical interface for servers

  • nixos-unstable 363.1
    • nixpkgs-unstable 363.1
    • nixos-unstable-small 363.1
  • nixos-26.05 362
    • nixos-26.05-small 362
    • nixpkgs-26.05-darwin 362

pkgs.cockpit-files

Featureful file browser for Cockpit

  • nixos-unstable 41
    • nixpkgs-unstable 41
    • nixos-unstable-small 41
  • nixos-26.05 40
    • nixos-26.05-small 40
    • nixpkgs-26.05-darwin 40

pkgs.cockpit-podman

Cockpit UI for podman containers

  • nixos-unstable 127
    • nixpkgs-unstable 127
    • nixos-unstable-small 127
  • nixos-26.05 125
    • nixos-26.05-small 125
    • nixpkgs-26.05-darwin 125

pkgs.cockpit-machines

Cockpit UI for virtual machines

  • nixos-unstable 353
    • nixpkgs-unstable 353
    • nixos-unstable-small 353
  • nixos-26.05 352
    • nixos-26.05-small 352
    • nixpkgs-26.05-darwin 352

Package maintainers