Cockpit Project Cockpit
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Cockpit Project Cockpit.
By the Year
In 2026 there have been 0 vulnerabilities in Cockpit Project Cockpit. Last year, in 2025 Cockpit had 1 security vulnerability published. Right now, Cockpit is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 3.50 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 2 | 5.90 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 6.50 |
| 2019 | 1 | 7.50 |
It may take a day or so for new Cockpit vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cockpit Project Cockpit Security Vulnerabilities
Cockpit <2.11.3 XSS via /system/users/save (name/email)
CVE-2025-7053
3.5 - Low
- July 04, 2025
A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 is able to address this issue. The patch is named bdcd5e3bc651c0839c7eea807f3eb6af856dbc76. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted very professional. A patch and new release was made available very quickly.
XSS
A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD)
CVE-2021-3698
7.5 - High
- March 10, 2022
A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to confidentiality.
Improper Certificate Validation
Cockpit (and its plugins) do not seem to protect itself against clickjacking
CVE-2021-3660
4.3 - Medium
- March 10, 2022
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Clickjacking
An SSRF issue was discovered in cockpit-project.org Cockpit 234
CVE-2020-35850
6.5 - Medium
- December 30, 2020
An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don't think [it] is a big real-life issue.
SSRF
It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack
CVE-2019-3804
7.5 - High
- March 26, 2019
It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash.
Missing Initialization of Resource
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Cockpit Project Cockpit or by Cockpit Project? Click the Watch button to subscribe.
