CVE-2026-23695
published 2026-05-15CVE-2026-23695: Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.14%
3.6th percentile
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cockpit-hq | cockpit | <= 2.14.0 | — |
| cockpit-hq | cockpit | 0 – 2.14.0 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option
ghsa·2026-05-15
CVE-2026-23695 [MEDIUM] CWE-79 Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option
Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.
GHSA
GHSA-ch4j-vcf5-58x5: Cockpit CMS through version 2
ghsa_unreviewed·2026-05-15
CVE-2026-23695 [MEDIUM] CWE-79 GHSA-ch4j-vcf5-58x5: Cockpit CMS through version 2
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-15
Published