Ffasterss

**Name of the Vulnerable Software and Affected Versions** Cockpit versions 2.13.4 and earlier **Description** Cockpit is a headless content management system. Instances running version 2.13.4 or earlier with API access enabled are susceptible to a SQL Injection issue in the MongoLite Aggregation Optimizer. The `/api/content/aggregate/{model}` API endpoint, when publicly accessible or reachable by untrusted users, presents a risk. An attacker with a valid read-only API key can inject arbitrary SQL through unsanitized field names in aggregation queries. This allows bypassing the ` state=1` published-content filter to access unpublished or restricted content and extract unauthorized data from the underlying SQLite content database. The `toJsonExtractRaw()` function in `lib/MongoLite/Aggregation/Optimizer.php` is the source of the issue. **Recommendations** Upgrade to version 2.13.5 or later.