CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection
The National Vulnerability Database has detailed a critical remote code execution vulnerability (CVE-2026-34965) within Cockpit CMS. This flaw allows authenticated attackers with collection management privileges to inject arbitrary PHP code. The attack leverages the /cockpit/collections/save_collection endpoint, where malicious code embedded in rule parameters is written directly to server-side PHP files. Subsequent execution via include() grants attackers command execution capabilities on the underlying server.
With a CVSS score of 8.8, this vulnerability presents a significant risk. Attackers can pivot from authenticated access to full server compromise, making it a prime target for those seeking to establish persistence or exfiltrate data. The ease of exploitation, given the low complexity and lack of user interaction required, amplifies the threat. Defenders must prioritize patching or mitigating systems running Cockpit CMS, especially those exposed to the internet or with untrusted authenticated users.
What This Means For You
- If your organization uses Cockpit CMS, immediately audit all instances for unauthorized modifications to collection rules. Apply any available patches from the vendor and review access controls for users with collection management privileges. Consider implementing file integrity monitoring on critical PHP files to detect unauthorized code injection.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-34965: Cockpit CMS PHP Code Injection via save_collection
title: CVE-2026-34965: Cockpit CMS PHP Code Injection via save_collection
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
Detects the specific endpoint and parameter used in CVE-2026-34965 to inject PHP code. Attackers exploit the 'collection_rules' parameter within the /cockpit/collections/save_collection endpoint to achieve RCE.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-34965/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/cockpit/collections/save_collection'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'collection_rules'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-34965 | RCE | Cockpit CMS |
| CVE-2026-34965 | RCE | /cockpit/collections/save_collection endpoint |
| CVE-2026-34965 | Code Injection | injection of arbitrary PHP code into collection rules parameters |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow
CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...
CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking
CVE-2018-25318 — Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers...
Tenda Routers: CVE-2018-25317 Allows Unauthenticated DNS Hijacking
CVE-2018-25317 — Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient...