CVE-2026-34965
Received Received - Intake
Authenticated Remote Code Execution in Cockpit CMS via Malicious Collection Rules

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: VulnCheck

Description
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34965
EUVD
EUVD-2026-26280
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
agentejo cockpit to 494765e (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can lead to complete server compromise. An attacker exploiting this flaw can execute arbitrary commands on the server, potentially leading to data exfiltration, privilege escalation, and full control over the affected system.

Executive Summary

This vulnerability exists in Cockpit CMS within the /cockpit/collections/save_collection endpoint. It allows authenticated attackers who have collection management privileges to inject arbitrary PHP code into the collection rules parameters.

The injected PHP code is written directly to server-side PHP files and then executed via the include() function, enabling the attacker to execute arbitrary commands on the underlying server.

Impact Analysis

This vulnerability can lead to remote code execution on the server hosting Cockpit CMS. An attacker with the necessary privileges can run arbitrary commands, potentially gaining full control over the server.

Such control can result in data theft, data manipulation, service disruption, or further attacks within the network.

Executive Summary

CVE-2026-34965 is a critical vulnerability in Cockpit CMS that allows authenticated users with collection management privileges to perform remote code execution. The flaw exists in the /cockpit/collections/save_collection endpoint, where attackers can inject arbitrary PHP code into the collection rules parameters.

This injected PHP code is written directly to server-side PHP files and later executed via the include() function. By sending a specially crafted request containing malicious PHP payloads in the rules fields, an attacker can cause the server to execute arbitrary commands, leading to full remote code execution on the underlying server.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious activity involving the /cockpit/collections/save_collection endpoint, especially requests made by authenticated users with collection management privileges that include unusual or suspicious PHP code in the rules parameters.

One approach is to inspect web server logs or application logs for POST requests to /cockpit/collections/save_collection containing PHP tags or code snippets in the payload.

Example commands to detect potential exploitation attempts include using grep or similar tools to search logs for PHP code injection patterns:

  • grep -i 'POST /cockpit/collections/save_collection' /var/log/apache2/access.log | grep -E '<\?php|eval\(|base64_decode\('
  • grep -r '<?php' /path/to/cockpit/storage/collections/

Additionally, scanning the storage directory for recently modified PHP files containing injected code can help identify exploitation.

Mitigation Strategies

Immediate mitigation steps include applying the official patch released by the Cockpit CMS team that addresses this vulnerability.

If patching is not immediately possible, restrict access to the /cockpit/collections/save_collection endpoint to trusted users only, and ensure that only authenticated users with necessary privileges can access collection management features.

Additionally, monitor and audit collection rules parameters for any suspicious PHP code injection attempts.

Long-term remediation involves avoiding direct execution of user input, storing rules as data files (e.g., JSON), implementing strict validation to reject PHP tags, and using whitelist-based execution for predefined logic.

Compliance Impact

The vulnerability allows authenticated attackers to execute arbitrary code on the server, leading to complete server compromise and potential data exfiltration.

Such a compromise can result in unauthorized access to sensitive personal or protected health information, which may violate compliance requirements under standards like GDPR and HIPAA.

Therefore, this vulnerability poses a significant risk to maintaining compliance with data protection regulations by potentially exposing confidential data and failing to ensure data integrity and confidentiality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34965. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart