Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Cockpit: Unauthenticated remote code execution via web browser
RLSA-2026:7383
Summary
Cockpit, a web-based server administration tool, allows attackers to run malicious code on a server without a password. This can happen if a user with malicious intentions visits a specially crafted web page. To fix this, update Cockpit to the latest version to ensure your server remains secure.
What to do
- Update cockpit to version 0:344-3.el10_1.rocky.0.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Rocky Linux:10 | – | cockpit |
< 0:344-3.el10_1.rocky.0.1 Fix: upgrade to 0:344-3.el10_1.rocky.0.1
|
Original title
Critical: cockpit: Unauthenticated remote code execution due to SSH command-line argument injection
Original description
Cockpit enables users to administer GNU/Linux servers using a web browser. It
offers network configuration, log inspection, diagnostic reports, SELinux
troubleshooting, interactive command-line sessions, and more.
Security Fix(es):
* cockpit: ws: be more explicit when handling hostnames on cli (CVE-2026-4631)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
offers network configuration, log inspection, diagnostic reports, SELinux
troubleshooting, interactive command-line sessions, and more.
Security Fix(es):
* cockpit: ws: be more explicit when handling hostnames on cli (CVE-2026-4631)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
osv CVSS3.1
9.8
- https://errata.rockylinux.org/RLSA-2026:7383 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2450246 Third Party Advisory
Published: 21 May 2026 · Updated: 21 May 2026 · First seen: 21 May 2026