CVE-2026-58467
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.
Risk Assessment
The risk for the organization includes unauthorized access to sensitive configuration files, user data, or source code, and in deployments using the PHP built-in server or specific Nginx configurations – remote code execution via PHP file inclusion, potentially leading to full server compromise.
Recommendation
Immediately upgrade Cockpit CMS to version 364 or later, which contains the fix for this vulnerability. Additionally, avoid using the PHP built-in server in production environments and ensure Nginx configurations include proper path validation rules.
Original NVD description (English source)
Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.

