Volerion logoVolerion
Volerion logoVolerion

Cockpit-HQ Cockpit Arbitrary File Upload Vulnerability

Vulnerability

A vulnerability allowing arbitrary file upload has been identified in Cockpit-HQ Cockpit versions prior to 2.4.1. This issue arises from insufficient upload filtering, which allows attackers to bypass restrictions by using certain file extensions. Exploitation of this vulnerability could lead to remote code execution.

Impact

Successful exploitation allows for arbitrary file upload, which can be leveraged to execute malicious code on the server.

Reproduction

To reproduce this vulnerability, upload a file with a .phar or .phtml extension through the application's asset management feature. After uploading, access the file via its asset link, which will execute any commands specified in the file. This can be done by embedding a command in the uploaded file that is executed upon access.

Remediation

Users are advised to upgrade Cockpit-HQ Cockpit to version 2.4.1 or higher.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.7
impact
7.5
exploitability
9.1
remediation
7.7
relevance
0.0
threat
6.5
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.