CVE Catalog

CVE-2026-23695

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile - higher than 4% of all known CVEs

Summary

Cockpit CMS up to version 2.14.0 contains a stored cross-site scripting vulnerability in the Set field type's Display template option. The template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization, allowing an attacker with content/:models/manage permission to inject arbitrary JavaScript.

Risk Assessment

An attacker can execute arbitrary scripts in the browser of any user viewing the collection items list, potentially leading to session theft, content modification, or further attacks on system users.

Recommendation

Immediately update Cockpit CMS to a version containing commit 72a83fc or later, which fixes this vulnerability. Until the update, restrict access to model management functions to trusted users only.

Original NVD description (English source)

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS