CVE-2026-38993
MediumCVSS 6.5Exploitation Probability (EPSS)
Elevated risk54th percentile - higher than 54% of all known CVEs
Summary
Directory traversal vulnerability in the Buckets component of Cockpit 2.13.5 and earlier. Allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.
Risk Assessment
The risk involves authenticated attackers uploading malicious files, potentially leading to server compromise or website defacement.
Recommendation
Immediately upgrade Cockpit to a version newer than 2.13.5 and restrict authenticated user permissions in the Buckets component.
Original NVD description (English source)
Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions.

