Cyber Resilience

CVE-2026-38991

High

Published: 29 April 2026

Published
29 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 29.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-38991 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Felsec (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-38991 affects Cockpit 2.13.5 and earlier versions, stemming from a misconfiguration in the Bucket component's _isFileTypeAllowed function. This vulnerability enables a specially crafted filename to bypass the extension filter, allowing unauthorized file renaming.

An authenticated attacker with low privileges can exploit this issue remotely over the network with low complexity and no user interaction required. Successful exploitation permits renaming arbitrary files to use a .php extension, leading to arbitrary code execution on the underlying server. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Mitigation is available via the Cockpit project's release of version 2.14.0, which addresses this and other vulnerabilities, as detailed in the GitHub release notes. Additional advisory information on this and related issues in Cockpit CMS 2.13.5 is provided in Felsec's security post.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary…

more

code to be executed on the underlying server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability in web CMS allows authenticated bypass of file extension filter to rename/place .php files, directly enabling exploitation of public-facing application (T1190) and deployment of web shell for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

Felsec
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation including patching to Cockpit 2.14.0, which directly fixes the misconfiguration in the _isFileTypeAllowed function.

prevent

Mandates information input validation at file upload/rename points to block specially crafted filenames that bypass extension filters.

prevent

Ensures secure baseline configuration settings for file handling components like the Bucket _isFileTypeAllowed function to prevent misconfigurations enabling filter bypass.

References