Medium severity5.4NVD Advisory· Published May 15, 2026· Updated May 18, 2026
CVE-2026-23695
CVE-2026-23695
Description
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cockpit-hq/cockpitPackagist | <= 2.14.0 | — |
Affected products
1- Range: <=2.14.0
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.