CVE-2026-23695

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.
Configurations

No configuration.

History

15 May 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-05-15 17:16

Updated : 2026-06-17 10:21


NVD link : CVE-2026-23695

Mitre link : CVE-2026-23695

CVE.ORG link : CVE-2026-23695


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')