Cockpit save cross site scripting
Description
A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 is able to address this issue. The patch is named bdcd5e3bc651c0839c7eea807f3eb6af856dbc76. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted very professional. A patch and new release was made available very quickly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cockpit CMS versions up to 2.11.3 are vulnerable to stored XSS via the user name/email fields, fixed in 2.11.4.
Root
Cause
The vulnerability resides in the /system/users/save endpoint of Cockpit CMS. User-supplied values for the name and email arguments are stored without proper sanitization. When these values are later rendered in the admin interface (e.g., in the user avatar and account menu), they are not escaped, allowing injection of arbitrary HTML and JavaScript [1]. The fix, introduced in commit bdcd5e3, adds calls to $this->escape() on the user name and email fields before output [3].
Exploitation
An attacker with the ability to modify user profiles—such as an authenticated admin or a user with appropriate permissions—can craft a malicious payload in the name or email field. The attack is performed remotely via HTTP requests to the save endpoint. No special network position is required beyond access to the Cockpit admin panel [1]. The injected script executes when other administrators view the affected user's information, such as in the header avatar or account details panel.
Impact
Successful exploitation leads to stored cross-site scripting (XSS). An attacker can execute arbitrary JavaScript in the context of the Cockpit admin session, potentially leading to session hijacking, data exfiltration, or further administrative actions. The vulnerability is rated as problematic (medium severity) due to the prerequisite of authenticated access [1].
Mitigation
The vendor released version 2.11.4 on the same day as the disclosure, which includes the escaping fix [4]. Users are strongly advised to upgrade to 2.11.4 or later. No workarounds have been provided, and the patch is available in the official repository [3]. The vendor responded promptly and professionally to the report [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cockpit-hq/cockpitPackagist | < 2.11.4 | 2.11.4 |
Affected products
3- Cockpit/Cockpitdescription
- Range: <=2.11.3
Patches
1bdcd5e3bc651Escape user-provided data to prevent XSS vulnerabilities in views.
3 files changed · +11 −11
modules/App/layouts/app.php+5 −5 modified@@ -139,7 +139,7 @@ class="<?= $this->helper('theme')->pageClass() ?>" <div class="kiss-flex-1 kiss-margin-left"></div> <?php $this->block('app.layout.header') ?> <a class="kiss-margin-left" href="#app-account-menu" aria-label="<?=t('Account')?>" kiss-popout> - <app-avatar size="30" name="<?= $this['user/name'] ?>"></app-avatar> + <app-avatar size="30" name="<?= $this->escape($this['user/name']) ?>"></app-avatar> </a> </kiss-container> </app-header> @@ -154,10 +154,10 @@ class="<?= $this->helper('theme')->pageClass() ?>" <kiss-card class="kiss-padding kiss-margin-small" theme="contrast"> <kiss-row gap="small"> - <div><app-avatar size="35" name="<?= $this['user/name'] ?>"></app-avatar></div> + <div><app-avatar size="35" name="<?=$this->escape($this['user/name'])?>"></app-avatar></div> <div class="kisss-flex-1"> - <div class="kiss-text-bold kiss-text-truncate kiss-size-small"><?= $this['user/name'] ?></div> - <div class="kiss-color-muted kiss-text-truncate kiss-size-xsmall"><?= $this['user/email'] ?></div> + <div class="kiss-text-bold kiss-text-truncate kiss-size-small"><?= $this->escape($this['user/name']) ?></div> + <div class="kiss-color-muted kiss-text-truncate kiss-size-xsmall"><?=$this->escape($this['user/email'])?></div> </div> </kiss-row> @@ -181,7 +181,7 @@ class="<?= $this->helper('theme')->pageClass() ?>" <kiss-offcanvas id="app-offcanvas"> <kiss-content class="kiss-flex kiss-flex-column"> <div class="kiss-padding kiss-flex kiss-bgcolor-contrast kiss-flex kiss-flex-middle"> - <div><app-avatar size="30" name="<?= $this['user/name'] ?>"></app-avatar></div> + <div><app-avatar size="30" name="<?=$this->escape($this['user/name'])?>"></app-avatar></div> <div class="kiss-margin-small-left kiss-flex-1 kiss-size-xsmall"> <div class="kiss-text-bold kiss-text-truncate"><?= $this->escape($this['user/name']) ?></div> <div class="kiss-color-muted kiss-text-truncate"><?= $this->escape($this['user/email']) ?></div>
modules/App/views/dashboard/index.php+4 −4 modified@@ -22,11 +22,11 @@ <div class="kiss-flex-inline kiss-flex-middle" gap="small"> <div> - <app-avatar size="40" name="<?=$this['user/name']?>"></app-avatar> + <app-avatar size="40" name="<?=$this->escape($this['user/name'])?>"></app-avatar> </div> <div> - <div class="kiss-text-bold"><?=$this['user/name']?></div> - <div class="kiss-text-truncate kiss-color-muted kiss-size-small"><?=$this['user/email']?></div> + <div class="kiss-text-bold"><?=$this->escape($this['user/name'])?></div> + <div class="kiss-text-truncate kiss-color-muted kiss-size-small"><?=$this->escape($this['user/email'])?></div> </div> </div> @@ -41,7 +41,7 @@ <kiss-card class="kiss-padding-large kiss-flex kiss-flex-middle kiss-flex-center kiss-align-center kiss-visible@m" :class="widgets.length ? 'kiss-height-30vh' : 'kiss-height-50vh'" :theme="widgets.length ? 'contrast shadowed':''"> <div class="animated fadeInUp"> - <div class="kiss-size-xlarge kiss-margin-small"><?=_t('Hello %s', [$this['user/name']])?></div> + <div class="kiss-size-xlarge kiss-margin-small"><?=_t('Hello %s', [$this->escape($this['user/name'])])?></div> <div class="kiss-color-muted kiss-size-1 kiss-text-light animated fadeIn delay-1s"><?=t("Excited for your creations today!")?></div> </div> </kiss-card>
modules/App/views/lockedResouce.php+2 −2 modified@@ -12,7 +12,7 @@ <div class="kiss-flex kiss-flex-middle"> <div class="kiss-margin-small-right"> - <app-avatar size="40" name="<?=$meta['user']['name']?>"> + <app-avatar size="40" name="<?=$this->escape($meta['user']['name'])?>"> <canvas width="40" height="40"></canvas> </app-avatar> </div> @@ -43,4 +43,4 @@ </kiss-card> -</kiss-container> \ No newline at end of file +</kiss-container>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/Cockpit-HQ/Cockpit/commit/bdcd5e3bc651c0839c7eea807f3eb6af856dbc76ghsapatchWEB
- github.com/Cockpit-HQ/Cockpit/releases/tag/2.11.4ghsapatchWEB
- github.com/advisories/GHSA-j4rj-fgcq-wmqpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-7053ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.