{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cockpit/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-4802"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cockpit"],"_cs_severities":["high"],"_cs_tags":["command injection","rce","web application"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eCVE-2026-4802 is a command injection vulnerability affecting Cockpit, a web-based interface for system administration. The vulnerability stems from the system logs UI, where user-controlled parameters within crafted links are not properly sanitized. An attacker can exploit this flaw by injecting shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. Successful exploitation can result in a complete system compromise, allowing the attacker to gain full control of the targeted machine. This vulnerability poses a significant risk to systems utilizing Cockpit for remote administration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious link containing shell metacharacters and command substitutions within user-controlled parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted link to a user with access to the Cockpit system logs UI, possibly through phishing or social engineering.\u003c/li\u003e\n\u003cli\u003eThe user clicks on the malicious link, which is processed by the Cockpit system logs UI.\u003c/li\u003e\n\u003cli\u003eThe Cockpit application fails to properly sanitize the user-controlled parameters within the link.\u003c/li\u003e\n\u003cli\u003eThe unsanitized parameters are passed to a system command.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters and command substitutions are interpreted by the shell.\u003c/li\u003e\n\u003cli\u003eArbitrary shell commands are executed on the host system with the privileges of the Cockpit process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system and can perform actions such as installing malware, exfiltrating data, or disrupting services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4802 allows a remote attacker to achieve arbitrary command execution on the host system. This can lead to a complete system compromise, potentially affecting all data and services hosted on the system. The lack of sanitization can allow an attacker to perform any action that the compromised Cockpit instance can, including installing malicious software, creating new user accounts, or accessing sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches for Cockpit from Red Hat to remediate CVE-2026-4802.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-4802 Exploitation Attempt via Crafted URL\u0026rdquo; to identify potential exploitation attempts in webserver logs.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all user-supplied parameters within Cockpit\u0026rsquo;s system logs UI.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Cockpit logs for suspicious activity or unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:17:09Z","date_published":"2026-05-11T14:17:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cockpit-rce/","summary":"CVE-2026-4802 is a command injection vulnerability in Cockpit's system logs UI that allows a remote attacker to execute arbitrary commands on the host by exploiting unsanitized user-controlled parameters in crafted links.","title":"CVE-2026-4802: Cockpit Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cockpit-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cockpit","version":"https://jsonfeed.org/version/1.1"}