Directory Traversal Vulnerability in Cockpit by Cockpit HQ
CVE-2026-38993

Currently unrated

Key Information:

Vendor: Cockpit HQ
Status: Cockpit
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-38993?

An identified vulnerability in Cockpit versions 2.13.5 and earlier permits directory traversal through the Buckets component. This flaw enables authenticated attackers to manipulate files within the uploads directory, including writing files to arbitrary locations and overwriting existing assets with unauthorized versions. As a result, this could lead to severe security implications if exploited, compromising the integrity of the affected environment.

References

https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0

https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-38993 Data

JSON