Cockpit

This hub aggregates every CVE we track for Cockpit, a product in the operating systems space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Cockpit.

• CVE-2026-23695Cockpit CMS 2.14.0 Stored XSS via Set Field Display Template5.4May 15, 2026
• CVE-2026-6626Cockpit-HQ Cockpit Asset Handler/Aggregate data query logic injection6.3Apr 20, 2026
• CVE-2026-4631Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection9.8Apr 7, 2026
• CVE-2026-31891Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()7.7Mar 18, 2026
• CVE-2025-7053Cockpit save cross site scripting3.5Jul 4, 2025
• CVE-2025-1025Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.7.5Feb 5, 2025
• CVE-2024-6656Hardcoded Credentals in TNB Mobile Solutions' Cockpit Software9.8Sep 13, 2024
• CVE-2024-6126Cockpit: authenticated user can kill any process when enabling pam_env's user_readenv option3.2Jul 3, 2024
• CVE-2024-1272Information Disclosure to Source Code in TNB Mobile Solutions' Cockpit Software7.5Jun 5, 2024
• CVE-2024-4825Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo9.8May 13, 2024
• CVE-2024-2947Cockpit: command injection when deleting a sosreport with a crafted name7.3Mar 28, 2024
• CVE-2024-2001Cross-Site Scripting vulnerability in Cockpit CMS5.5Feb 29, 2024
• CVE-2023-41564An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .shtml file.6.1Sep 8, 2023
• CVE-2023-4451Cross-site Scripting (XSS) - Reflected in cockpit-hq/cockpit6.1Aug 20, 2023
• CVE-2023-4433Cross-site Scripting (XSS) - Stored in cockpit-hq/cockpit5.4Aug 19, 2023