A vulnerability described as critical has been identified in Cockpit HQ Cockpit CMS up to 2.13.x. The affected element is the function
api of the file modules/System/Controller/Buckets.php of the component Bucket file storage API. Executing a manipulation of the argument bucket can lead to path traversal.
This vulnerability appears as CVE-2026-57856. The attack may be performed from remote. There is no available exploit.