CVE-2026-23695 MEDIUM

CVE-2026-23695: Cockpit CMS 2.14.0 Stored XSS via Set Field Display Template

Vendor Cockpit-Hq
Product Cockpit
Weakness CWE-79 · XSS
Published May 15, 2026
Last update May 15, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.

Key dates

02Disclosure timeline

May 15, 2026 CVE published
May 15, 2026 Record updated