Data Query Logic Injection Vulnerability in Cockpit-HQ Cockpit by Cockpit
CVE-2026-6626

5.3MEDIUM

Key Information:

Vendor: Cockpit-hq
Status: Cockpit
Vendor: CVE Published:; 20 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6626?

A significant vulnerability has been identified in Cockpit-HQ Cockpit versions up to 2.13.5, specifically within the Asset Handler and Aggregate Handler components. This flaw involves improper neutralization within data query logic, which could potentially be exploited by remote attackers. Despite the vendor being notified about this security issue, there has been no response, and the details of the exploit are now publicly available, posing potential risks to users.

Affected Version(s)

Cockpit 2.13.0

Cockpit 2.13.1

Cockpit 2.13.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6626 - Proof of Concept

References

https://vuldb.com/vuln/358261

vdb-entry

https://vuldb.com/vuln/358261/cti

signaturepermissions-required

https://vuldb.com/submit/792601

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 20, 2026
👾
Exploit known to exist
Apr 20, 2026
Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 19, 2026

Credit

Nicolas Pauferro (VulDB User)

VulDB CNA Team

CVE-2026-6626 Data

JSON

Cockpit-hq