CVE-2026-38991

Name of the Vulnerable Software and Affected Versions Cockpit versions prior to 2.13.6

Description A misconfiguration in the Bucket component isFileTypeAllowed() function allows an authenticated attacker to bypass an extension filter using a specially crafted filename. This enables the renaming of arbitrary files to have a .php extension, which can lead to arbitrary code execution on the underlying server.

Recommendations Update to a version later than 2.13.5. As a temporary workaround, restrict access to the Bucket component or the isFileTypeAllowed() function to minimize the risk of exploitation.