<Vulnerability name="CVE-2026-58467">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-02T20:04:56</PublicDate>
    <Bugzilla id="2496697" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496697" xml:lang="en:us">
cockpit: Cockpit CMS: Arbitrary file read and code execution via path traversal
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
Cockpit CMS through 2.14.0 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Cockpit CMS. This vulnerability, a path traversal and local file inclusion, allows an unauthenticated attacker to read arbitrary files or execute PHP files. By manipulating the URL, an attacker can bypass security checks and access restricted directories. This could lead to unauthorized information disclosure or the execution of malicious code on affected systems.
    </Details>
    <Statement xml:lang="en:us">
This Important flaw in Cockpit CMS allows unauthenticated attackers to perform path traversal and local file inclusion, enabling them to read arbitrary files or execute PHP files. This is due to improper validation of `PATH_INFO` in the `REQUEST_URI`, which can be exploited on systems utilizing the PHP built-in server or certain non-default Nginx configurations. Successful exploitation could lead to unauthorized information disclosure or arbitrary code execution in some cases.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>cockpit</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>cockpit</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>cockpit</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>cockpit</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-58467
https://nvd.nist.gov/vuln/detail/CVE-2026-58467
https://github.com/cockpit-project/cockpit/releases/tag/364
https://github.com/geo-chen/oss/blob/main/cockpit.md
https://www.vulncheck.com/advisories/cockpit-cms-364-path-traversal-local-file-inclusion-via-index-php
    </References>
</Vulnerability>