CVE-2026-38991
CVE-2026-38991 affects Cockpit 2.13.5 and earlier, due to a misconfiguration in the Bucket component’s _isFileTypeAllowed function that bypasses the extension filter with a crafted filename. This allows an authenticated attacker to rename arbitrary files with the .php extension and can lead to ar...