Agentejo Cockpit
31 CVEs affecting Agentejo Cockpit. Latest disclosed: 2026-03-18. Critical: 9, High: 7.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-4825 | Critical | 9.8 | 2024-05-14 | A vulnerability has been discovered in Agentejo Cockpit CMS v0.5.5 that consists in an arbitrary file upload in ‘/media/api’ parameter via post request. An att… |
CVE-2022-2818 | Critical | 9.8 | 2022-08-15 | Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2. |
CVE-2022-2713 | Critical | 9.8 | 2022-08-08 | Insufficient Session Expiration in GitHub repository cockpit-hq/cockpit prior to 2.2.0. |
CVE-2020-35131 | Critical | 9.8 | 2021-01-08 | Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.p… |
CVE-2020-35848 | Critical | 9.8 | 2020-12-30 | Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function. |
CVE-2020-35847 | Critical | 9.8 | 2020-12-30 | Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function. |
CVE-2020-35846 | Critical | 9.8 | 2020-12-30 | Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. |
CVE-2018-15540 | Critical | 9.8 | 2018-10-15 | Agentejo Cockpit performs actions on files without appropriate validation and therefore allows an attacker to traverse the file system to unintended locations… |
CVE-2017-14611 | Critical | 9.1 | 2018-04-10 | SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url paramete… |
CVE-2023-4195 | High | 8.8 | 2023-08-06 | PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. |
CVE-2023-37650 | High | 8.8 | 2023-07-20 | A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands. |
CVE-2023-1313 | High | 8.8 | 2023-03-10 | Unrestricted Upload of File with Dangerous Type in GitHub repository cockpit-hq/cockpit prior to 2.4.1. |
CVE-2023-0759 | High | 8.8 | 2023-02-09 | Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2.3.8. |
CVE-2018-15539 | High | 8.8 | 2018-10-15 | Agentejo Cockpit lacks an anti-CSRF protection mechanism. Thus, an attacker is able to change API tokens, passwords, etc. |
CVE-2026-31891 | High | 7.7 | 2026-03-18 | Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by… |
CVE-2023-37649 | High | 7.5 | 2023-07-20 | Incorrect access control in the component /models/Content of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data. |
CVE-2023-41564 | Medium | 6.1 | 2023-09-08 | An arbitrary file upload vulnerability in the Upload Asset function of Cockpit CMS v2.6.3 allows attackers to execute arbitrary code via uploading a crafted .s… |
CVE-2023-4451 | Medium | 6.1 | 2023-08-20 | Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. |
CVE-2023-4432 | Medium | 6.1 | 2023-08-19 | Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4. |
CVE-2023-4321 | Medium | 6.1 | 2023-08-14 | Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3. |