cockpit: Unauthenticated remote code execution due to SSH command-line argument injection

An update is available for cockpit. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Cockpit enables users to administer GNU/Linux servers using a web browser. I...

cockpit: Cockpit: Unauthenticated remote code execution due to SSH command-line argument injection

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...

RHEL 10 : cockpit: Unauthenticated remote code execution due to SSH command-line argument injection (Critical) (RHSA-2026:7381)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:7381 advisory. Cockpit enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports,...

CVE-2026-4631

CVE-2026-4631 affects Cockpit: unauthenticated remote code execution via SSH command-line argument injection in the remote login flow. The web interface passes user-supplied hostnames/usernames to the SSH client without validation, allowing a network-connected attacker to send a single HTTP reque...