CVE-2026-34965

CVE-2026-34965 is an authenticated remote code execution vulnerability (CWE-94) in Cockpit CMS, specifically within the /cockpit/collections/save_collection endpoint. Published on 2026-04-29, it enables attackers to inject arbitrary PHP code into collection rules parameters. The injected code is written directly to server-side PHP files and subsequently executed via include(), resulting in arbitrary command execution on the underlying server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers require valid authentication and collection management privileges to exploit this issue over the network with low complexity and no user interaction. By crafting a request to the vulnerable endpoint with malicious PHP in rule parameters, they can persist and trigger code execution, gaining high-impact control over confidentiality, integrity, and availability on the server.

Advisories and patches are documented in references including VulnCheck's advisory at https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections, a detailed analysis at https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90, the Cockpit GitHub repository at https://github.com/agentejo/cockpit, and a related commit at https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9.