CVE-2026-57856

HIGHPre-NVD 8.88.8
EchelonGraph scoreHIGH confidence

Score 8.8 from GitHub Security Advisory (severity: HIGH) published 2026-07-14. the CNA's CVSS baseline 8.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:vulncheck, epss, ghsa
Trending — 4 sources updated this weekElevated
8.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg_replace('/[^a-zA-Z0-9-_\\.]/','', $bucket), which permits '..' and '../' sequences. The sanitized value is interpolated into a Flysystem path as uploads://buckets/{bucket}. Flysystem's WhitespacePathNormalizer resolves 'buckets/..' to the empty string (the uploads storage root) without raising PathTraversalDetected because the '..' has a preceding component to consume. An authenticated low-privileged user can send a crafted request with a '../' bucket name to list, upload, and delete files across all buckets, including those belonging to other users or roles

CVSS v3
8.8
EG Score
8.8(high)
EPSS
31.1%
KEV
Not listed

Published

July 13, 2026

Last Modified

July 14, 2026

Advisory Details (5)

Auto-updated Jul 14, 2026
🔬 Proof of concept available. Patch available. Sources: github_commit.
generic

Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API | Advisories | VulnCheck

https://www.vulncheck.com/advisories/cockpit-cms-path-traversal-via-bucket-name-in-bucket-file-storage-api
generic

Cockpit CMS Missing Authorization in Bucket File Storage API | Advisories | VulnCheck

https://www.vulncheck.com/advisories/cockpit-cms-missing-authorization-in-bucket-file-storage-api
generic

GitHub - Cockpit-HQ/Cockpit: Cockpit Core - Content Platform · GitHub

https://github.com/cockpit-hq/cockpit
github_commit Patch Available

commit dde2d1d74f5f (Cockpit-HQ/Cockpit)

Patch available: Cockpit-HQ/Cockpit 2.14.0 (contains commit dde2d1d74f5f)

https://github.com/Cockpit-HQ/Cockpit/commit/dde2d1d74f5f4e11de42a298918ea8c9684f932c
generic🟡 PoC Available

cockpit-cms-security-advisory-2026.md · GitHub

https://gist.github.com/sermikr0/821c4edd3c34e98a62a50b07707785bd

Vendor Advisories for CVE-2026-57856(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 14× in last 7d / 14× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-16 02:13 UTCEG score recompute
  2. 2026-07-16 02:13 UTCGHSA enrichment
  3. 2026-07-15 16:57 UTCEPSS rescore
  4. 2026-07-15 16:57 UTCEPSS rescore
  5. 2026-07-15 13:22 UTCEG score recompute
  6. 2026-07-15 13:22 UTCGHSA enrichment
  7. 2026-07-15 02:00 UTCEPSS rescore
  8. 2026-07-15 02:00 UTCEPSS rescore
  9. 2026-07-15 00:30 UTCEG score recompute
  10. 2026-07-15 00:30 UTCGHSA enrichment
  11. 2026-07-14 11:38 UTCEG score recompute
  12. 2026-07-14 11:38 UTCGHSA enrichment
  13. 2026-07-13 22:48 UTCEG score recompute
  14. 2026-07-13 22:47 UTCMITRE cvelistV5first tracked

Frequently asked(5)

What is CVE-2026-57856?
CVE-2026-57856 is a high vulnerability published on July 13, 2026. Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with pregreplace('/[^a-zA-Z0-9-\\.]/','', $bucket), which permits '..' and '../' sequences. The sanitized…
When was CVE-2026-57856 disclosed?
CVE-2026-57856 was first published in the National Vulnerability Database on July 13, 2026, with the most recent update on July 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-57856 actively exploited?
CVE-2026-57856 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 31.1% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-57856?
CVE-2026-57856 has a CVSS v4.0 base score of 8.8 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-57856?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-57856, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-57856

Explore →

Is Your Infrastructure Affected by CVE-2026-57856?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.