CVE-2026-4802

NameCVE-2026-4802
DescriptionA flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cockpit (PTS)bullseye239-1vulnerable
bookworm287.1-0+deb12u3vulnerable
bookworm (security)287.1-0+deb12u2vulnerable
trixie337-1+deb13u1vulnerable
forky, sid360-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cockpitsource(unstable)(unfixed)

Notes

https://www.openwall.com/lists/oss-security/2026/05/20/19
https://bugzilla.redhat.com/show_bug.cgi?id=2451155
Fixed by: https://github.com/cockpit-project/cockpit/commit/e3a47d70f99a0dbbb427b3146ae9571cecc44296 (362)
Testcase: https://github.com/cockpit-project/cockpit/commit/7b401c90fd775dd89ffce194c947ff2e74f5e5ee (362)
Search for package or bug name: Reporting problems