PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58467 Cockpit CVE debrief

CVE-2026-58467 is a high-severity vulnerability in Cockpit CMS that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. This vulnerability exists in Cockpit CMS through version 2.14.0, where an unauthenticated attacker can inject dot-dot sequences into the URL to traverse outside the designated spaces directory.

Vendor
Cockpit
Product
CMS
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-02
Original CVE updated
2026-07-08
Advisory published
2026-07-02
Advisory updated
2026-07-08

Who should care

Users of Cockpit CMS version 2.14.0 or earlier should be aware of this vulnerability and take steps to mitigate it. Affected operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and implement necessary controls.

Technical summary

The vulnerability exists in Cockpit CMS through version 2.14.0, where an unauthenticated attacker can inject dot-dot sequences into the URL to traverse outside the designated spaces directory. When the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations. Affected product context indicates that deployments using the PHP built-in server or certain non-default Nginx configurations are impacted.

Defensive priority

High

Recommended defensive actions

  • Apply the vendor patch or upgrade to a version of Cockpit CMS that is not vulnerable
  • Implement input validation and sanitization to prevent path traversal and local file inclusion attacks
  • Use a web application firewall to detect and prevent attacks
  • Monitor for suspicious activity and implement incident response plans
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-02T20:17:06.733Z and was last modified on 2026-07-08T14:17:19.517Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-02T20:17:06.733Z and has not been modified since then. The NVD entry is currently Deferred.