CVE-2026-23695

Published: May 15, 2026

Modified: May 15, 2026

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.

Vendor	Product	Versions
Cockpit-HQ	Cockpit	affected `0 - <= 2.14.0` unaffected `72a83fcfe85ad8330e9ae834bc02fa517b5749e9`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/Cockpit-HQ/Cockpit/commit/72a83fcfe85ad8330e9ae834bc02fa517b5749e9

patch

https://www.vulncheck.com/advisories/cockpit-cms-stored-xss-via-set-field-display-template

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-23695

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References