CVE-2026-23695
Description
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cockpit CMS 2.14.0 and earlier have a stored XSS in the Set field's Display template via unsafe Function() evaluation and v-html rendering.
Vulnerability
Overview
Cockpit CMS through version 2.14.0 contains a stored cross-site scripting (XSS) vulnerability in the Set field type's Display template option. The root cause is that the $interpolate function uses new Function() to evaluate template strings, and the result is rendered via Vue's v-html directive without sanitization [1][2]. This allows an attacker to inject arbitrary JavaScript into the Display template.
Exploitation
Prerequisites
An attacker must have content/:models/manage permission to modify a Set field's Display template. The injected payload is stored and executed in the browser of any user who views the collection items list [2]. No additional user interaction is required beyond viewing the affected page.
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session. This can be used to steal session tokens, perform actions on behalf of the victim, or deface the admin interface. The vulnerability is classified as Medium severity (CVSS 5.4) due to the requirement of authenticated access with specific permissions [2].
Mitigation
The vulnerability is patched in commit 72a83fc, which replaces the Function-based evaluation with a sandboxed JSLite engine to reduce code execution risk while preserving template behavior [1]. Users should update to a version containing this commit or apply the patch manually.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.14.0
Patches
172a83fcfe85aReplace `App.utils.$interpolate` / `App.utils.interpolate` `Function`-based evaluation with sandboxed JSLite execution to reduce browser-side code execution risk while preserving display template behavior
4 files changed · +19 −6
CHANGELOG.md+1 −0 modified@@ -3,6 +3,7 @@ ## WIP - Refactor session state management and event stream handling in admin module +- Replace `App.utils.$interpolate` / `App.utils.interpolate` `Function`-based evaluation with sandboxed JSLite execution to reduce browser-side code execution risk while preserving display template behavior ## 2.14.0 (2026-03-30)
modules/App/assets/app.bundle.js+3 −3 modifiedmodules/App/assets/js/app/utils.js+6 −3 modified@@ -1,3 +1,5 @@ +import { Engine as JSLiteEngine } from "../../vendor/jslite.esm.js"; + let formatSize = function(bytes) { if (bytes == 0) { return "0.00 B"; } let e = Math.floor(Math.log(bytes) / Math.log(1024)); @@ -69,10 +71,11 @@ let copyText = function(text, cb) { if (cb) cb(); } +let interpolateEngine = new JSLiteEngine(); + let interpolate = function(str, params) { - const names = Object.keys(params); - const vals = Object.values(params); - return new Function(...names, `return \`${str}\`;`)(...vals); + const source = `return \`${str}\`;`; + return interpolateEngine.run(interpolateEngine.compile(source), Object.assign({}, params)); } let uuid = function() {
modules/App/assets/vendor/jslite.esm.js+9 −0 added
Vulnerability mechanics
Root cause
"The `interpolate` function in `modules/App/assets/js/app/utils.js` passes user-controlled template strings to `new Function()` for evaluation, enabling arbitrary JavaScript execution."
Attack vector
An attacker with `content/:models/manage` permission can inject arbitrary JavaScript into the Set field type's Display template option. When the template string is processed by the `$interpolate` function, it is evaluated via `new Function()` without sanitization [CWE-79]. The resulting output is rendered through Vue's `v-html` directive, causing the injected script to execute in the browser of any user viewing the collection items list. The attack is network-triggered (low complexity) and requires low-privileged authentication and user interaction (viewing the list).
Affected code
The vulnerable code is in `modules/App/assets/js/app/utils.js` in the `interpolate` function. The function uses `new Function(...names, \`return ${str};\`)(...vals)` to evaluate template strings, which allows arbitrary code execution when the template string contains attacker-controlled JavaScript. The patch also adds `modules/App/assets/vendor/jslite.esm.js` as a sandboxed template engine replacement.
What the fix does
The patch replaces the `new Function(...names, \`return ${str};\`)(...vals)` call with a sandboxed JSLite template engine [patch_id=424464]. A `JSLiteEngine` instance is created and used to compile and run the template string against the provided parameters. This prevents arbitrary code execution because JSLite evaluates only template expressions in a restricted sandbox, rather than allowing full JavaScript evaluation via `Function` constructor.
Preconditions
- authAttacker must have content/:models/manage permission in Cockpit CMS
- inputAttacker must be able to set the Display template value on a Set field type
- networkVictim must view the collection items list page where the template is rendered
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.