cvedb.io
CVE-2026-31891
HIGH · CVSS 7.7
EPSS exploitation probability: 0%
Published 2026-03-18T04:17:19.570 · Last modified 2026-06-17T10:34:42.430

Summary

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly accessible or reachable by untrusted users may be vulnerable, and attackers in possession of a valid read-only API key (the lowest privilege level) can exploit this vulnerability — no admin access is required. An attacker can inject arbitrary SQL via unsanitized field names in aggregation queries, bypass the `_state=1` published-content filter to access unpublished or restricted content, and extract unauthorized data from the underlying SQLite content database. This vulnerability has b

Affected products

agentejo — cockpit

Does this affect you?

Add your gear to cvedb and we'll alert you only when agentejo ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.