CVE-2026-34965
Published: 29 April 2026
Summary
CVE-2026-34965 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 47.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-34965 is an authenticated remote code execution vulnerability (CWE-94) in Cockpit CMS, specifically within the /cockpit/collections/save_collection endpoint. Published on 2026-04-29, it enables attackers to inject arbitrary PHP code into collection rules parameters. The injected code is written directly to server-side PHP files and subsequently executed via include(), resulting in arbitrary command execution on the underlying server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers require valid authentication and collection management privileges to exploit this issue over the network with low complexity and no user interaction. By crafting a request to the vulnerable endpoint with malicious PHP in rule parameters, they can persist and trigger code execution, gaining high-impact control over confidentiality, integrity, and availability on the server.
Advisories and patches are documented in references including VulnCheck's advisory at https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections, a detailed analysis at https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90, the Cockpit GitHub repository at https://github.com/agentejo/cockpit, and a related commit at https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26280
Vulnerability details
Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which…
more
is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of rule parameters in the /cockpit/collections/save_collection endpoint to block injection of arbitrary PHP code before it is written to server-side files.
Directly remediates the flaw in Cockpit CMS by applying patches or updates that prevent PHP code injection and execution via collection rules.
Applies least privilege to minimize users with collection management privileges needed to access and exploit the vulnerable endpoint.