Vulnerability Overview Vulnerability ID: #792601 Vulnerability Name: Cockpit-HQ Cockpit CMS 2.13.5 Injection Vulnerability Type: NoSQL Injection (NoSQLi) Description: A critical vulnerability was discovered in Cockpit CMS v2.13.5. The application lacks proper sanitization of special elements (such as and ) in its data query logic, leading to a NoSQL injection vulnerability. Specifically, the and endpoints allow user-controlled JSON objects to be passed directly to the MongoDB driver, thereby permitting insufficiently sanitized operators. Attackers can exploit these operators to perform blind data extraction or cross-collection aggregation, achieving full database extraction, including hashed admin credentials, API tokens, and 2FA keys. Impact Scope Affected Version: Cockpit CMS v2.13.5 Impacted Endpoints: - - Remediation Remediation Recommendation: Properly sanitize special elements in the data query logic to prevent NoSQL injection attacks. POC Code/Exploit Code No specific POC code or exploit code is provided on the page. Additional Information Submitter: Nicolas Pauferro (UID 96903) Submission Time: March 20, 2026 02:58 AM Review Time: April 19, 2026 06:43 PM Status: Accepted ValDB Entry: 358261 [Cockpit-HQ Cockpit up to 2.13.5 Asset Handler/Aggregate data query logic injection] Points: 20 Community Content Submitter: VulDB community user Disclaimer: VulDB is not responsible for submitted content or external links. Usage Advice: Please use the information provided with caution, as it may contain malicious or harmful operations, code, or data.