CVE-2026-6626: Cockpit has NoSQL Injection Through Content Aggregation Pipelines

April 20, 2026 (updated April 23, 2026)

A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/Cockpit-HQ/Cockpit
github.com/NicolasPauferro/studiesofnosqli
github.com/advisories/GHSA-5pv2-86qj-5jf9
nvd.nist.gov/vuln/detail/CVE-2026-6626
vuldb.com/submit/792601
vuldb.com/vuln/358261
vuldb.com/vuln/358261/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-6626 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →