Cockpit

v2.14.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo Productivity & Wikis

✓ No known CVEs patched

This release patches 1 known CVE

Topics

api api-graphql api-rest cms cockpit graphql

+4 more

headless-cms mongodb nosql sqlite

Summary

AI summary

Fix Bucket path traversal vulnerability.

Full changelog

Improve KISS components
MongoLite: Restrict query callbacks ($func, $fn, $f, $where, direct criteria callbacks) to anonymous closures only
Improve logging utility: validate log type and enhance context handling
Add support for custom ACL permission expression (via ScriptLite)
Content: Add meta.computed ScriptLite support for save-time computed fields
Fix Bucket path traversal vulnerability
Enhance SVG file handling during uploads
Improve Thumbhash class with enhanced validation and error handling
MongoLite: Optimize sorting performance
Content: Validate and enforce ACL permissions on $lookup stages in aggregate pipeline
Harden session cookie handling: enforce HttpOnly, auto-detect Secure, validate SameSite, and support configurable cookie params via session.cookie
Sanitize display values in field-select and field-tags components to prevent XSS

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track Cockpit

Get notified when new releases ship.

About Cockpit

Simple content platform to manage any structured content.