Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-4802
8.0 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Cockpit: cockpit: arbitrary command execution via crafted links in system logs ui
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.
References
Affected products
cockpit
Matching in nixpkgs
pkgs.cockpit
Web-based graphical interface for servers
pkgs.cockpit-zfs
Cockpit plugin for ZFS management by 45Drives
pkgs.cockpit-files
Featureful file browser for Cockpit
pkgs.cockpit-podman
Cockpit UI for podman containers
pkgs.cockpit-machines
Cockpit UI for virtual machines
Package maintainers
-
@andre4ik3 andre4ik3 <andre4ik3@fastmail.com>
-
@alexandru0-dev Alexandru Nechita <alexandru.italia32+nixpkgs@gmail.com>
-
@lucasew Lucas Eduardo Wendt <lucas59356@gmail.com>
-
@hatch01 Eymeric Dechelette <hatchchien@protonmail.com>