PT-2026-41318 · Unknown · Cockpit Cms

·

CVE-2026-23695

·

Published

2026-05-15

·

Updated

2026-05-15

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Cockpit CMS versions prior to 2.14.1
Description A stored cross-site scripting issue exists in the Set field type's Display template option. The template string is processed by the $interpolate() function using new Function() and rendered via Vue's v-html directive without proper sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which then executes in the browser of any user viewing the collection items list.
Recommendations Update to the version containing commit 72a83fc.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-23695
GHSA-CH4J-VCF5-58X5

Affected Products

Cockpit Cms