File Type Bypass Vulnerability in Cockpit by Cockpit HQ
CVE-2026-38991

Currently unrated

Key Information:

Vendor: Cockpit HQ
Status: Cockpit
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-38991?

Cockpit 2.13.5 and earlier versions feature a misconfiguration in the Bucket component's _isFileTypeAllowed function. This flaw can be exploited by an authenticated attacker who uses a specially crafted filename to bypass the intended file extension filter, allowing them to rename arbitrary files with a .php extension. This vulnerability may lead to the execution of arbitrary code on the server, posing significant security risks.

References

https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0

https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-38991 Data

JSON