D6Fault

**Name of the Vulnerable Software and Affected Versions** Cockpit CMS versions prior to 2.14.1 **Description** A stored cross-site scripting issue exists in the Set field type's Display template option. The template string is processed by the `$interpolate()` function using `new Function()` and rendered via Vue's `v-html` directive without proper sanitization. An attacker with `content/:models/manage` permission can inject arbitrary JavaScript into the Display template, which then executes in the browser of any user viewing the collection items list. **Recommendations** Update to the version containing commit 72a83fc.