CVE-2026-4802

high

Description

A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacters and command substitutions into these parameters, leading to the execution of arbitrary shell commands on the affected system. This could result in a complete system compromise.

References

Advisories
More

https://access.redhat.com/errata/RHSA-2026:21700

https://access.redhat.com/errata/RHSA-2026:21676

https://access.redhat.com/errata/RHSA-2026:21647

https://access.redhat.com/errata/RHSA-2026:21516

https://access.redhat.com/errata/RHSA-2026:21515

https://access.redhat.com/errata/RHSA-2026:21468

https://access.redhat.com/errata/RHSA-2026:21395

https://access.redhat.com/errata/RHSA-2026:21394

https://access.redhat.com/errata/RHSA-2026:21392

https://access.redhat.com/errata/RHSA-2026:21390

https://github.com/cockpit-project/cockpit/blob/e204cd130/pkg/systemd/logsJournal.jsx#L206-L210

https://bugzilla.redhat.com/show_bug.cgi?id=2451155

https://access.redhat.com/security/cve/CVE-2026-4802

http://www.openwall.com/lists/oss-security/2026/05/20/19

Details

Source: Mitre, NVD

Published: 2026-05-11

Updated: 2026-05-28

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00192