Search
Find a vulnerability
Search criteria
4 vulnerabilities by Cockpit HQ
CVE-2026-57856 (GCVE-0-2026-57856)
Vulnerability from nvd – Published: 2026-07-13 22:41 – Updated: 2026-07-13 22:41
VLAI
EPSS
VEX
Title
Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API
Summary
Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg_replace('/[^a-zA-Z0-9-_\\.]/','', $bucket), which permits '..' and '../' sequences. The sanitized value is interpolated into a Flysystem path as uploads://buckets/{bucket}. Flysystem's WhitespacePathNormalizer resolves 'buckets/..' to the empty string (the uploads storage root) without raising PathTraversalDetected because the '..' has a preceding component to consume. An authenticated low-privileged user can send a crafted request with a '../' bucket name to list, upload, and delete files across all buckets, including those belonging to other users or roles
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/cockpit-hq/cockpit | product |
| https://github.com/Cockpit-HQ/Cockpit/commit/dde2… | patch |
| https://gist.github.com/sermikr0/821c4edd3c34e98a… | technical-description |
| https://www.vulncheck.com/advisories/cockpit-cms-… | third-party-advisory |
| https://www.vulncheck.com/advisories/cockpit-cms-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cockpit HQ | Cockpit CMS |
Affected:
0 , < 2.14.0
(git)
|
Date Public
2026-07-13 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Cockpit CMS",
"vendor": "Cockpit HQ",
"versions": [
{
"lessThan": "2.14.0",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov"
}
],
"datePublic": "2026-07-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg_replace(\u0027/[^a-zA-Z0-9-_\\\\.]/\u0027,\u0027\u0027, $bucket), which permits \u0027..\u0027 and \u0027../\u0027 sequences. The sanitized value is interpolated into a Flysystem path as uploads://buckets/{bucket}. Flysystem\u0027s WhitespacePathNormalizer resolves \u0027buckets/..\u0027 to the empty string (the uploads storage root) without raising PathTraversalDetected because the \u0027..\u0027 has a preceding component to consume. An authenticated low-privileged user can send a crafted request with a \u0027../\u0027 bucket name to list, upload, and delete files across all buckets, including those belonging to other users or roles"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T22:41:23.183Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Product",
"tags": [
"product"
],
"url": "https://github.com/cockpit-hq/cockpit"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/Cockpit-HQ/Cockpit/commit/dde2d1d74f5f4e11de42a298918ea8c9684f932c"
},
{
"tags": [
"technical-description"
],
"url": "https://gist.github.com/sermikr0/821c4edd3c34e98a62a50b07707785bd"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cockpit-cms-missing-authorization-in-bucket-file-storage-api"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cockpit-cms-path-traversal-via-bucket-name-in-bucket-file-storage-api"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-57856",
"datePublished": "2026-07-13T22:41:23.183Z",
"dateReserved": "2026-06-25T18:48:00.282Z",
"dateUpdated": "2026-07-13T22:41:23.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57855 (GCVE-0-2026-57855)
Vulnerability from nvd – Published: 2026-07-13 22:33 – Updated: 2026-07-13 22:33
VLAI
EPSS
VEX
Title
Cockpit CMS Missing Authorization in Bucket File Storage API
Summary
Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/cockpit-hq/cockpit | product |
| https://github.com/Cockpit-HQ/Cockpit/commit/dde2… | patch |
| https://gist.github.com/sermikr0/821c4edd3c34e98a… | technical-description |
| https://www.vulncheck.com/advisories/cockpit-cms-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cockpit HQ | Cockpit CMS |
Affected:
0 , < 2.14.0
(git)
|
Date Public
2026-07-13 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Cockpit CMS",
"vendor": "Cockpit HQ",
"versions": [
{
"lessThan": "2.14.0",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov"
}
],
"datePublic": "2026-07-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T22:33:39.717Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Product",
"tags": [
"product"
],
"url": "https://github.com/cockpit-hq/cockpit"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/Cockpit-HQ/Cockpit/commit/dde2d1d74f5f4e11de42a298918ea8c9684f932c"
},
{
"tags": [
"technical-description"
],
"url": "https://gist.github.com/sermikr0/821c4edd3c34e98a62a50b07707785bd"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cockpit-cms-missing-authorization-in-bucket-file-storage-api"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cockpit CMS Missing Authorization in Bucket File Storage API",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-57855",
"datePublished": "2026-07-13T22:33:39.717Z",
"dateReserved": "2026-06-25T18:48:00.282Z",
"dateUpdated": "2026-07-13T22:33:39.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57856 (GCVE-0-2026-57856)
Vulnerability from cvelistv5 – Published: 2026-07-13 22:41 – Updated: 2026-07-13 22:41
VLAI
EPSS
VEX
Title
Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API
Summary
Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg_replace('/[^a-zA-Z0-9-_\\.]/','', $bucket), which permits '..' and '../' sequences. The sanitized value is interpolated into a Flysystem path as uploads://buckets/{bucket}. Flysystem's WhitespacePathNormalizer resolves 'buckets/..' to the empty string (the uploads storage root) without raising PathTraversalDetected because the '..' has a preceding component to consume. An authenticated low-privileged user can send a crafted request with a '../' bucket name to list, upload, and delete files across all buckets, including those belonging to other users or roles
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/cockpit-hq/cockpit | product |
| https://github.com/Cockpit-HQ/Cockpit/commit/dde2… | patch |
| https://gist.github.com/sermikr0/821c4edd3c34e98a… | technical-description |
| https://www.vulncheck.com/advisories/cockpit-cms-… | third-party-advisory |
| https://www.vulncheck.com/advisories/cockpit-cms-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cockpit HQ | Cockpit CMS |
Affected:
0 , < 2.14.0
(git)
|
Date Public
2026-07-13 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Cockpit CMS",
"vendor": "Cockpit HQ",
"versions": [
{
"lessThan": "2.14.0",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov"
}
],
"datePublic": "2026-07-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg_replace(\u0027/[^a-zA-Z0-9-_\\\\.]/\u0027,\u0027\u0027, $bucket), which permits \u0027..\u0027 and \u0027../\u0027 sequences. The sanitized value is interpolated into a Flysystem path as uploads://buckets/{bucket}. Flysystem\u0027s WhitespacePathNormalizer resolves \u0027buckets/..\u0027 to the empty string (the uploads storage root) without raising PathTraversalDetected because the \u0027..\u0027 has a preceding component to consume. An authenticated low-privileged user can send a crafted request with a \u0027../\u0027 bucket name to list, upload, and delete files across all buckets, including those belonging to other users or roles"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T22:41:23.183Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Product",
"tags": [
"product"
],
"url": "https://github.com/cockpit-hq/cockpit"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/Cockpit-HQ/Cockpit/commit/dde2d1d74f5f4e11de42a298918ea8c9684f932c"
},
{
"tags": [
"technical-description"
],
"url": "https://gist.github.com/sermikr0/821c4edd3c34e98a62a50b07707785bd"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cockpit-cms-missing-authorization-in-bucket-file-storage-api"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cockpit-cms-path-traversal-via-bucket-name-in-bucket-file-storage-api"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-57856",
"datePublished": "2026-07-13T22:41:23.183Z",
"dateReserved": "2026-06-25T18:48:00.282Z",
"dateUpdated": "2026-07-13T22:41:23.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-57855 (GCVE-0-2026-57855)
Vulnerability from cvelistv5 – Published: 2026-07-13 22:33 – Updated: 2026-07-13 22:33
VLAI
EPSS
VEX
Title
Cockpit CMS Missing Authorization in Bucket File Storage API
Summary
Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.
Severity
CWE
- CWE-284 - Improper Access Control
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/cockpit-hq/cockpit | product |
| https://github.com/Cockpit-HQ/Cockpit/commit/dde2… | patch |
| https://gist.github.com/sermikr0/821c4edd3c34e98a… | technical-description |
| https://www.vulncheck.com/advisories/cockpit-cms-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Cockpit HQ | Cockpit CMS |
Affected:
0 , < 2.14.0
(git)
|
Date Public
2026-07-13 00:00
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Cockpit CMS",
"vendor": "Cockpit HQ",
"versions": [
{
"lessThan": "2.14.0",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Saidakbarxon Maxsudxonov"
}
],
"datePublic": "2026-07-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T22:33:39.717Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Product",
"tags": [
"product"
],
"url": "https://github.com/cockpit-hq/cockpit"
},
{
"name": "Patch Commit",
"tags": [
"patch"
],
"url": "https://github.com/Cockpit-HQ/Cockpit/commit/dde2d1d74f5f4e11de42a298918ea8c9684f932c"
},
{
"tags": [
"technical-description"
],
"url": "https://gist.github.com/sermikr0/821c4edd3c34e98a62a50b07707785bd"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cockpit-cms-missing-authorization-in-bucket-file-storage-api"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cockpit CMS Missing Authorization in Bucket File Storage API",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-57855",
"datePublished": "2026-07-13T22:33:39.717Z",
"dateReserved": "2026-06-25T18:48:00.282Z",
"dateUpdated": "2026-07-13T22:33:39.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}