{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/agentejo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-34965"}],"_cs_exploited":false,"_cs_products":["Cockpit CMS"],"_cs_severities":["critical"],"_cs_tags":["rce","code-injection","cockpit-cms"],"_cs_type":"advisory","_cs_vendors":["agentejo"],"content_html":"\u003cp\u003eCockpit CMS is vulnerable to remote code execution due to insufficient input validation in the \u003ccode\u003e/cockpit/collections/save_collection\u003c/code\u003e endpoint. An authenticated attacker with collection management privileges can inject arbitrary PHP code into collection rules parameters. This vulnerability, identified as CVE-2026-34965, allows attackers to inject malicious PHP code through rule parameters. The injected code is then written directly to server-side PHP files and executed via the \u003ccode\u003einclude()\u003c/code\u003e function, leading to arbitrary command execution on the underlying server. This poses a significant risk to organizations using Cockpit CMS, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Cockpit CMS application with valid collection management credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the \u003ccode\u003e/cockpit/collections/save_collection\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request to the \u003ccode\u003e/cockpit/collections/save_collection\u003c/code\u003e endpoint containing PHP code within collection rules parameters.\u003c/li\u003e\n\u003cli\u003eThe application saves the attacker-supplied PHP code into a PHP file on the server.\u003c/li\u003e\n\u003cli\u003eThe application uses the \u003ccode\u003einclude()\u003c/code\u003e function to execute the PHP file.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code executes arbitrary commands on the underlying server, granting the attacker control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the underlying server. This can lead to complete system compromise, including data theft, modification, or deletion. Given the high CVSS score (8.8), this vulnerability poses a critical risk, especially for internet-facing Cockpit CMS installations. Organizations in any sector using Cockpit CMS are potentially affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Cockpit CMS that addresses CVE-2026-34965 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Cockpit CMS Save Collection Activity\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/cockpit/collections/save_collection\u003c/code\u003e with suspicious characters or PHP code in the request body, as detected by the Sigma rule \u003ccode\u003eDetect PHP Code Injection in Cockpit CMS Collections\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:29Z","date_published":"2026-04-29T20:16:29Z","id":"/briefs/2026-04-cockpit-rce/","summary":"Cockpit CMS is vulnerable to authenticated remote code execution via PHP code injection in the /cockpit/collections/save_collection endpoint, enabling attackers with collection management privileges to execute arbitrary commands on the server.","title":"Cockpit CMS Authenticated Remote Code Execution via Code Injection","url":"https://feed.craftedsignal.io/briefs/2026-04-cockpit-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Agentejo","version":"https://jsonfeed.org/version/1.1"}