{"id":"PYSEC-2026-795","summary":"Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability","details":"The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code with the root privileges in cobblerd by editing a Cheetah kickstart template to import arbitrary Python modules.","aliases":["CVE-2008-6954","GHSA-p8w2-f44p-fmcj"],"modified":"2026-07-07T11:45:44.522058876Z","published":"2026-07-06T08:03:24.945214Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2008-6954"},{"type":"WEB","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/46625"},{"type":"PACKAGE","url":"https://github.com/cobbler/cobbler"},{"type":"WEB","url":"https://web.archive.org/web/20111227125913/http://secunia.com/advisories/32804"},{"type":"WEB","url":"https://web.archive.org/web/20111227151912/http://secunia.com/advisories/32737"},{"type":"WEB","url":"https://web.archive.org/web/20200228143518/http://www.securityfocus.com/bid/32317"},{"type":"WEB","url":"https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00462.html"},{"type":"WEB","url":"https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00485.html"},{"type":"WEB","url":"http://freshmeat.net/projects/cobbler/releases/288374"},{"type":"PACKAGE","url":"https://pypi.org/project/cobbler"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-p8w2-f44p-fmcj"}],"affected":[{"package":{"name":"cobbler","ecosystem":"PyPI","purl":"pkg:pypi/cobbler"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.9"}]}],"versions":["0.6.3-2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/cobbler/PYSEC-2026-795.yaml"}}],"schema_version":"1.7.5"}