CVE-2026-24892

Name of the Vulnerable Software and Affected Versions openITCOCKPIT Community Edition versions prior to 5.3.1

Description openITCOCKPIT is a monitoring tool compatible with Nagios, Naemon, and Prometheus. The software contains an unsafe PHP deserialization pattern when handling changelog entries. Specifically, serialized changelog data originating from attacker-controlled application state is deserialized without class restrictions. While no current application endpoint directly introduces PHP objects into this data path, the unrestricted use of unserialize() creates a potential PHP object injection issue. Future modifications, plugins, or refactoring that introduce object values into this path could lead to immediate exploitability, potentially resulting in remote code execution.

Recommendations Update to a version newer than 5.3.1.