📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global vulnerability Higher Education CRITICAL 9h Global data_breach Government HIGH 10h Global supply_chain Software Development and Open Source Communities CRITICAL 10h Global malware Software Development CRITICAL 10h Global phishing Multiple Sectors HIGH 10h Global vulnerability Web Applications CRITICAL 11h Global apt Critical Infrastructure CRITICAL 11h Global ransomware Multiple sectors CRITICAL 11h Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 12h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 13h Global vulnerability Higher Education CRITICAL 9h Global data_breach Government HIGH 10h Global supply_chain Software Development and Open Source Communities CRITICAL 10h Global malware Software Development CRITICAL 10h Global phishing Multiple Sectors HIGH 10h Global vulnerability Web Applications CRITICAL 11h Global apt Critical Infrastructure CRITICAL 11h Global ransomware Multiple sectors CRITICAL 11h Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 12h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 13h Global vulnerability Higher Education CRITICAL 9h Global data_breach Government HIGH 10h Global supply_chain Software Development and Open Source Communities CRITICAL 10h Global malware Software Development CRITICAL 10h Global phishing Multiple Sectors HIGH 10h Global vulnerability Web Applications CRITICAL 11h Global apt Critical Infrastructure CRITICAL 11h Global ransomware Multiple sectors CRITICAL 11h Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 12h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 13h
Vulnerabilities

CVE-2026-34965

High
CWE-94 — Weakness Type
Published: Apr 29, 2026  ·  Modified: May 6, 2026  ·  Source: NVD
CVSS v3
8.8
🔗 NVD Official
📄 Description (English)

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

🤖 AI Executive Summary

Cockpit CMS contains a critical authenticated remote code execution vulnerability (CVE-2026-34965) in the collection management endpoint that allows privileged users to inject arbitrary PHP code through rule parameters. The vulnerability exploits unsafe file writing and include() execution, enabling complete server compromise. With a CVSS score of 8.8 and no patch currently available, this poses an immediate threat to organizations using Cockpit CMS for content management.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 4, 2026 16:16
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Cockpit CMS for content management—particularly government agencies, media organizations, and e-commerce platforms—face critical risk. Government entities under NCA oversight and SAMA-regulated financial institutions using Cockpit for customer-facing portals are especially vulnerable. The vulnerability allows authenticated insiders or compromised administrative accounts to achieve full server compromise, potentially exposing sensitive citizen data, financial records, and critical infrastructure information. Healthcare organizations using Cockpit for patient portals and telecom providers managing customer information face significant data breach and regulatory compliance risks.
🏢 Affected Saudi Sectors
Government & Public Administration Banking & Financial Services Healthcare & Medical Services Energy & Utilities Telecommunications Media & Publishing E-Commerce & Retail Education Insurance
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Audit all Cockpit CMS installations in your environment and identify instances with collection management functionality enabled

2. Review access logs for the /cockpit/collections/save_collection endpoint for suspicious activity, particularly from administrative accounts

3. Restrict collection management privileges to only essential personnel and implement principle of least privilege

4. Disable Cockpit CMS collection management features if not actively required



COMPENSATING CONTROLS (until patch available):

5. Implement Web Application Firewall (WAF) rules to block requests to /cockpit/collections/save_collection endpoint containing PHP code patterns (<?php, eval, system, exec, passthru, shell_exec)

6. Apply strict input validation and sanitization on all rule parameters—reject any input containing PHP tags or suspicious function calls

7. Implement file integrity monitoring (FIM) on Cockpit configuration and rule files to detect unauthorized modifications

8. Restrict file write permissions on Cockpit directories to read-only where possible

9. Disable PHP execution in Cockpit configuration directories via .htaccess or web server configuration

10. Implement network segmentation to limit administrative access to Cockpit to trusted networks only

11. Enable detailed logging and alerting for collection management operations

12. Monitor for suspicious include() or require() statements in PHP error logs



DETECTION RULES:

- Alert on POST requests to /cockpit/collections/save_collection with payloads containing: '<?', 'eval(', 'system(', 'exec(', 'passthru(', 'shell_exec(', 'proc_open(', 'popen('

- Monitor for file modifications in Cockpit rule/config directories outside of normal deployment windows

- Alert on execution of unexpected PHP files in Cockpit directories

- Track failed and successful authentication attempts to Cockpit administrative interfaces
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. قم بمراجعة جميع تثبيتات Cockpit CMS في بيئتك وحدد الحالات التي تحتوي على وظائف إدارة المجموعات المفعلة

2. راجع سجلات الوصول لنقطة النهاية /cockpit/collections/save_collection بحثاً عن نشاط مريب، خاصة من الحسابات الإدارية

3. قيّد امتيازات إدارة المجموعات للموظفين الأساسيين فقط وطبّق مبدأ أقل امتياز

4. عطّل وظائف إدارة مجموعات Cockpit إذا لم تكن مطلوبة بنشاط



الضوابط التعويضية (حتى توفر التصحيح):

5. طبّق قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات إلى نقطة النهاية /cockpit/collections/save_collection التي تحتوي على أنماط أكواد PHP (<?php, eval, system, exec, passthru, shell_exec)

6. طبّق التحقق من صحة الإدخال والتنظيف الصارم على جميع معاملات القواعد—رفض أي إدخال يحتوي على علامات PHP أو استدعاءات دوال مريبة

7. طبّق مراقبة سلامة الملفات (FIM) على ملفات تكوين وقواعد Cockpit للكشف عن التعديلات غير المصرح بها

8. قيّد أذونات كتابة الملفات في دلائل Cockpit إلى القراءة فقط حيث أمكن

9. عطّل تنفيذ PHP في دلائل تكوين Cockpit عبر .htaccess أو إعدادات خادم الويب

10. طبّق تقسيم الشبكة لتحديد الوصول الإداري إلى Cockpit للشبكات الموثوقة فقط

11. فعّل التسجيل والتنبيهات التفصيلية لعمليات إدارة المجموعات

12. راقب استخدام include() أو require() المريب في سجلات أخطاء PHP



قواعد الكشف:

- تنبيه على طلبات POST إلى /cockpit/collections/save_collection مع حمولات تحتوي على: '<?', 'eval(', 'system(', 'exec(', 'passthru(', 'shell_exec(', 'proc_open(', 'popen('

- راقب تعديلات الملفات في دلائل قواعد/تكوين Cockpit خارج نوافذ النشر العادية

- تنبيه على تنفيذ ملفات PHP غير متوقعة في دلائل Cockpit

- تتبع محاولات المصادقة الفاشلة والناجحة لواجهات Cockpit الإدارية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures A.6.1.1 - Access control policy A.6.2.1 - User registration and access rights management A.8.2.1 - Classification of information A.8.2.3 - Handling of assets A.12.2.1 - Restrictions on software installation A.12.4.1 - Event logging A.12.4.3 - Administrator and operator logs A.14.2.1 - Secure development policy
🔵 SAMA CSF
Governance & Risk Management - Risk Assessment and Management Information & Cybersecurity - Access Control and Authentication Information & Cybersecurity - Data Protection and Privacy Operational Resilience - Incident Management and Response Operational Resilience - Monitoring and Logging
🟡 ISO 27001:2022
5.1 - Policies for information security 5.3 - Segregation of duties 6.1 - Screening 6.2 - Terms and conditions of employment 8.1 - Prior to employment 8.2 - During employment 8.3 - Termination and change of employment 8.6 - Management of third-party access 9.1 - Physical access control 9.2 - Secure areas 9.4 - Physical and environmental security 10.1 - Cryptography 12.2 - Restrictions on software installation 12.4 - Logging 12.6 - Management of technical vulnerabilities 14.2 - Secure development policy and procedures
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration Requirement 2 - Do not use vendor-supplied defaults Requirement 6 - Develop and maintain secure systems and applications Requirement 7 - Restrict access to data by business need to know Requirement 8 - Identify and authenticate access to system components Requirement 10 - Track and monitor all access to network resources
📊 CVSS Score
8.8
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredL — Low / Local
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityH — High
AvailabilityH — High
📋 Quick Facts
Severity High
CVSS Score8.8
CWECWE-94
EPSS0.39%
Exploit No
Patch ✗ No
Published 2026-04-29
Source Feed nvd
🇸🇦 Saudi Risk Score
8.9
/ 10.0 — Saudi Risk
Priority: CRITICAL
🏷️ Tags
CWE-94
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.