Cockpit CMS Authenticated Remote Code Execution via Code Injection

Cockpit CMS is vulnerable to remote code execution due to insufficient input validation in the /cockpit/collections/save_collection endpoint. An authenticated attacker with collection management privileges can inject arbitrary PHP code into collection rules parameters. This vulnerability, identified as CVE-2026-34965, allows attackers to inject malicious PHP code through rule parameters. The injected code is then written directly to server-side PHP files and executed via the include() function, leading to arbitrary command execution on the underlying server. This poses a significant risk to organizations using Cockpit CMS, potentially leading to complete system compromise.

Attack Chain

1. Attacker authenticates to the Cockpit CMS application with valid collection management credentials.
2. Attacker navigates to the /cockpit/collections/save_collection endpoint.
3. Attacker crafts a malicious request to the /cockpit/collections/save_collection endpoint containing PHP code within collection rules parameters.
4. The application saves the attacker-supplied PHP code into a PHP file on the server.
5. The application uses the include() function to execute the PHP file.
6. The injected PHP code executes arbitrary commands on the underlying server, granting the attacker control of the system.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the underlying server. This can lead to complete system compromise, including data theft, modification, or deletion. Given the high CVSS score (8.8), this vulnerability poses a critical risk, especially for internet-facing Cockpit CMS installations. Organizations in any sector using Cockpit CMS are potentially affected.

Recommendation

• Apply the patch or upgrade to a version of Cockpit CMS that addresses CVE-2026-34965 to remediate the vulnerability.
• Deploy the Sigma rule Detect Suspicious Cockpit CMS Save Collection Activity to identify potential exploitation attempts in web server logs.
• Monitor web server logs for POST requests to /cockpit/collections/save_collection with suspicious characters or PHP code in the request body, as detected by the Sigma rule Detect PHP Code Injection in Cockpit CMS Collections.