CVE-2026-23695
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk4th percentile - higher than 4% of all known CVEs
Summary
Cockpit CMS up to version 2.14.0 contains a stored cross-site scripting vulnerability in the Set field type's Display template option. The template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization, allowing an attacker with content/:models/manage permission to inject arbitrary JavaScript.
Risk Assessment
An attacker can execute arbitrary scripts in the browser of any user viewing the collection items list, potentially leading to session theft, content modification, or further attacks on system users.
Recommendation
Immediately update Cockpit CMS to a version containing commit 72a83fc or later, which fixes this vulnerability. Until the update, restrict access to model management functions to trusted users only.
Original NVD description (English source)
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.

