-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cockpit-hq/cockpit | composer | < 2.6.3 | 2.6.3 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability stems from improper file extension validation in the Assets module's upload handler. The patch adds 'htm' and 'html' to a $forbidden array that was previously only blocking PHP-related extensions. This indicates the pre-patch validation function allowed HTML file uploads, which could be executed as active content by browsers, enabling stored XSS. The code modification in modules/Assets/bootstrap.php lines 67-86 (specifically the extension check logic) directly correlates with the vulnerability description.