OS Command Injection Affecting cockpit package, versions <0:310.8-1.el8_10


Severity

Recommended
0.0
high
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
1.02% (59th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-COCKPIT-16657413
  • published14 May 2026
  • disclosed11 May 2026

Introduced: 11 May 2026

CVE-2026-4802  (opens in a new tab)
CWE-78  (opens in a new tab)

How to fix?

Upgrade Centos:8 cockpit to version 0:310.8-1.el8_10 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cockpit package and not the cockpit package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

CVSS Base Scores

version 3.1