Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-57855

HIGH NVD
CVSS Score 8.8
Severity HIGH
Published Jul 13, 2026
Vendor unknown

Description

Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls, upload, removefiles, rename, createfolder) without performing any ACL or role check. Any authenticated user, regardless of role, can perform all bucket operations on any named bucket, including buckets intended for admin use only.

References