Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-57856— Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API

CVSS 8.8 · High EPSS 0.39% · P31

Possible ATT&CK Techniques 1AI

T1083 · File and Directory Discovery

Affected Version Matrix 1

VendorProductVersion RangeStatus
Cockpit HQCockpit CMS< 2.14.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-57856

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API
Source: NVD (National Vulnerability Database)
Vulnerability Description
Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg_replace('/[^a-zA-Z0-9-_\\.]/','', $bucket), which permits '..' and '../' sequences. The sanitized value is interpolated into a Flysystem path as uploads://buckets/{bucket}. Flysystem's WhitespacePathNormalizer resolves 'buckets/..' to the empty string (the uploads storage root) without raising PathTraversalDetected because the '..' has a preceding component to consume. An authenticated low-privileged user can send a crafted request with a '../' bucket name to list, upload, and delete files across all buckets, including those belonging to other users or roles
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Cockpit CMS 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Cockpit Cockpit CMS是Cockpit组织的内容管理系统。 Cockpit CMS 2.14.0之前版本存在路径遍历漏洞,该漏洞源于Bucket文件存储API中存在路径遍历漏洞,涉及使用preg_replace函数对bucket名称进行清理时允许'..'和'../'序列,可能导致已验证的低权限用户通过发送特制请求列出、上传和删除所有存储桶中的文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Cockpit HQCockpit CMS 0 ~ 2.14.0 -

II. Public POCs for CVE-2026-57856

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7957 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-57856

登录查看更多情报信息。

Patches & Fixes for CVE-2026-57856 (1)

Vendor Advisories for CVE-2026-57856 (3)

Vendor Pages for CVE-2026-57856 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-57856

No comments yet


Leave a comment