File Upload Bypass Leads to Remote Code Execution (RCE) in cockpit-hq/cockpit


Reported on

Aug 5th 2023


Vulnerable file upload functionality that users can upload files. Although almost all files with extensions like php, phtml, etc. have been prevented, an attacker can still upload phps files and remote code execute .


The Apache server which is hosting the web application need to have the ability to execute the phps file

Proof of Concept

  1. Link PoC:
  2. Link video PoC:


An attacker could use this vulnerability to get code execution on the victim machine

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. 2 months ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a month ago
cockpit-hq/cockpit maintainer has acknowledged this report a month ago
cockpit-hq/cockpit maintainer gave praise a month ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
cockpit-hq/cockpit maintainer validated this vulnerability a month ago
quanghuy25112000 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.6.3 with commit 800c05 a month ago
Artur has been awarded the fix bounty
This vulnerability has been assigned a CVE
Artur published this vulnerability a month ago
Assets.php#L140-L192 has been validated
to join this conversation