Vendor
A path traversal vulnerability (CVE-2026-57856) exists in the Bucket file storage API of Cockpit CMS, allowing authenticated low-privileged users to exploit a flaw in bucket name sanitization to access, upload, or delete files across all buckets by using crafted '..' sequences.