الثغرات ›

CVE-2026-34965

مرتفع

CWE-94 — نوع الضعف

                    نُشر: Apr 29, 2026                      ·  آخر تحديث: May 6, 2026                      ·  المصدر: NVD                

CVSS v3

8.8

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.

🤖 ملخص AI

Cockpit CMS contains a critical authenticated remote code execution vulnerability (CVE-2026-34965) in the collection management endpoint that allows privileged users to inject arbitrary PHP code through rule parameters. The vulnerability exploits unsafe file writing and include() execution, enabling complete server compromise. With a CVSS score of 8.8 and no patch currently available, this poses an immediate threat to organizations using Cockpit CMS for content management.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: May 4, 2026 16:16

🇸🇦 التأثير على المملكة العربية السعودية

Saudi organizations using Cockpit CMS for content management—particularly government agencies, media organizations, and e-commerce platforms—face critical risk. Government entities under NCA oversight and SAMA-regulated financial institutions using Cockpit for customer-facing portals are especially vulnerable. The vulnerability allows authenticated insiders or compromised administrative accounts to achieve full server compromise, potentially exposing sensitive citizen data, financial records, and critical infrastructure information. Healthcare organizations using Cockpit for patient portals and telecom providers managing customer information face significant data breach and regulatory compliance risks.

🏢 القطاعات السعودية المتأثرة

Government & Public Administration Banking & Financial Services Healthcare & Medical Services Energy & Utilities Telecommunications Media & Publishing E-Commerce & Retail Education Insurance

🎯 تقنيات MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - Command and Scripting Interpreter: JavaScript/JScript T1133 - External Remote Services T1078 - Valid Accounts T1078.001 - Valid Accounts: Default Accounts T1078.002 - Valid Accounts: Domain Accounts T1078.003 - Valid Accounts: Local Accounts T1505 - Server Software Component T1505.003 - Server Software Component: Web Shell T1547 - Boot or Logon Autostart Execution T1037 - Boot or Logon Initialization Scripts T1543 - Create or Modify System Process T1136 - Create Account T1543.003 - Create or Modify System Process: Windows Service

⚖️ درجة المخاطر السعودية (AI)

8.9

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all Cockpit CMS installations in your environment and identify instances with collection management functionality enabled

2. Review access logs for the /cockpit/collections/save_collection endpoint for suspicious activity, particularly from administrative accounts

3. Restrict collection management privileges to only essential personnel and implement principle of least privilege

4. Disable Cockpit CMS collection management features if not actively required

COMPENSATING CONTROLS (until patch available):

5. Implement Web Application Firewall (WAF) rules to block requests to /cockpit/collections/save_collection endpoint containing PHP code patterns (<?php, eval, system, exec, passthru, shell_exec)

6. Apply strict input validation and sanitization on all rule parameters—reject any input containing PHP tags or suspicious function calls

7. Implement file integrity monitoring (FIM) on Cockpit configuration and rule files to detect unauthorized modifications

8. Restrict file write permissions on Cockpit directories to read-only where possible

9. Disable PHP execution in Cockpit configuration directories via .htaccess or web server configuration

10. Implement network segmentation to limit administrative access to Cockpit to trusted networks only

11. Enable detailed logging and alerting for collection management operations

12. Monitor for suspicious include() or require() statements in PHP error logs

DETECTION RULES:

- Alert on POST requests to /cockpit/collections/save_collection with payloads containing: '<?', 'eval(', 'system(', 'exec(', 'passthru(', 'shell_exec(', 'proc_open(', 'popen('

- Monitor for file modifications in Cockpit rule/config directories outside of normal deployment windows

- Alert on execution of unexpected PHP files in Cockpit directories

- Track failed and successful authentication attempts to Cockpit administrative interfaces

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بمراجعة جميع تثبيتات Cockpit CMS في بيئتك وحدد الحالات التي تحتوي على وظائف إدارة المجموعات المفعلة

2. راجع سجلات الوصول لنقطة النهاية /cockpit/collections/save_collection بحثاً عن نشاط مريب، خاصة من الحسابات الإدارية

3. قيّد امتيازات إدارة المجموعات للموظفين الأساسيين فقط وطبّق مبدأ أقل امتياز

4. عطّل وظائف إدارة مجموعات Cockpit إذا لم تكن مطلوبة بنشاط



الضوابط التعويضية (حتى توفر التصحيح):

5. طبّق قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات إلى نقطة النهاية /cockpit/collections/save_collection التي تحتوي على أنماط أكواد PHP (<?php, eval, system, exec, passthru, shell_exec)

6. طبّق التحقق من صحة الإدخال والتنظيف الصارم على جميع معاملات القواعد—رفض أي إدخال يحتوي على علامات PHP أو استدعاءات دوال مريبة

7. طبّق مراقبة سلامة الملفات (FIM) على ملفات تكوين وقواعد Cockpit للكشف عن التعديلات غير المصرح بها

8. قيّد أذونات كتابة الملفات في دلائل Cockpit إلى القراءة فقط حيث أمكن

9. عطّل تنفيذ PHP في دلائل تكوين Cockpit عبر .htaccess أو إعدادات خادم الويب

10. طبّق تقسيم الشبكة لتحديد الوصول الإداري إلى Cockpit للشبكات الموثوقة فقط

11. فعّل التسجيل والتنبيهات التفصيلية لعمليات إدارة المجموعات

12. راقب استخدام include() أو require() المريب في سجلات أخطاء PHP



قواعد الكشف:

- تنبيه على طلبات POST إلى /cockpit/collections/save_collection مع حمولات تحتوي على: '<?', 'eval(', 'system(', 'exec(', 'passthru(', 'shell_exec(', 'proc_open(', 'popen('

- راقب تعديلات الملفات في دلائل قواعد/تكوين Cockpit خارج نوافذ النشر العادية

- تنبيه على تنفيذ ملفات PHP غير متوقعة في دلائل Cockpit

- تتبع محاولات المصادقة الفاشلة والناجحة لواجهات Cockpit الإدارية

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.6.1.1 - Access control policy A.6.2.1 - User registration and access rights management A.8.2.1 - Classification of information A.8.2.3 - Handling of assets A.12.2.1 - Restrictions on software installation A.12.4.1 - Event logging A.12.4.3 - Administrator and operator logs A.14.2.1 - Secure development policy

🔵 SAMA CSF

Governance & Risk Management - Risk Assessment and Management Information & Cybersecurity - Access Control and Authentication Information & Cybersecurity - Data Protection and Privacy Operational Resilience - Incident Management and Response Operational Resilience - Monitoring and Logging

🟡 ISO 27001:2022

5.1 - Policies for information security 5.3 - Segregation of duties 6.1 - Screening 6.2 - Terms and conditions of employment 8.1 - Prior to employment 8.2 - During employment 8.3 - Termination and change of employment 8.6 - Management of third-party access 9.1 - Physical access control 9.2 - Secure areas 9.4 - Physical and environmental security 10.1 - Cryptography 12.2 - Restrictions on software installation 12.4 - Logging 12.6 - Management of technical vulnerabilities 14.2 - Secure development policy and procedures

🟣 PCI DSS v4.0.1

Requirement 1 - Install and maintain a firewall configuration Requirement 2 - Do not use vendor-supplied defaults Requirement 6 - Develop and maintain secure systems and applications Requirement 7 - Restrict access to data by business need to know Requirement 8 - Identify and authenticate access to system components Requirement 10 - Track and monitor all access to network resources

🔗 المراجع والمصادر 4

🔗

https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90

disclosure@vulncheck.com

🔗

https://github.com/agentejo/cockpit

disclosure@vulncheck.com

🔗

https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-vi...

disclosure@vulncheck.com

📊 CVSS Score

8.8

/ 10.0 — مرتفع

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 حقائق سريعة

الخطورة مرتفع

CVSS Score8.8

CWECWE-94

EPSS0.39%

اختراق متاح لا

تصحيح متاح ✗ لا

تاريخ النشر 2026-04-29

المصدر nvd

المشاهدات 1

🇸🇦 درجة المخاطر السعودية

8.9

/ 10.0 — مخاطر السعودية

أولوية: CRITICAL

🏷️ الوسوم

CWE-94

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 التعليقات

جارٍ التحميل

CVE-2026-34965

💬 التعليقات

عرّفنا بنفسك

تسجيل الدخول مطلوب