CVE-2026-23695: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Cockpit-HQ Cockpit
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.
AI Analysis
Technical Summary
CVE-2026-23695 is a stored cross-site scripting vulnerability in Cockpit CMS through version 2.14.0. The issue exists in the Set field type's Display template option, where user-controlled template strings are processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. This allows an attacker with content/:models/manage permission to inject and execute arbitrary JavaScript in the browsers of users viewing the collection items list. The vulnerability has a CVSS 4.0 score of 5.1 (medium severity). No vendor advisory or patch information is currently available, and the product is not a cloud service.
Potential Impact
An attacker with content/:models/manage permission can inject arbitrary JavaScript code into the Display template, which executes in the context of users viewing the collection items list. This can lead to typical XSS impacts such as session hijacking, unauthorized actions, or information disclosure within the affected application context. The vulnerability requires some level of privilege (content/:models/manage) and user interaction (viewing the collection items list). There are no known exploits in the wild reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability is due to lack of sanitization in the Display template option, administrators should restrict permissions to trusted users only and avoid granting content/:models/manage permission broadly. Monitor vendor channels for an official fix or update. Until a patch is available, consider disabling or limiting use of the Set field type's Display template feature if feasible.
CVE-2026-23695: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Cockpit-HQ Cockpit
Description
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-23695 is a stored cross-site scripting vulnerability in Cockpit CMS through version 2.14.0. The issue exists in the Set field type's Display template option, where user-controlled template strings are processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. This allows an attacker with content/:models/manage permission to inject and execute arbitrary JavaScript in the browsers of users viewing the collection items list. The vulnerability has a CVSS 4.0 score of 5.1 (medium severity). No vendor advisory or patch information is currently available, and the product is not a cloud service.
Potential Impact
An attacker with content/:models/manage permission can inject arbitrary JavaScript code into the Display template, which executes in the context of users viewing the collection items list. This can lead to typical XSS impacts such as session hijacking, unauthorized actions, or information disclosure within the affected application context. The vulnerability requires some level of privilege (content/:models/manage) and user interaction (viewing the collection items list). There are no known exploits in the wild reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vulnerability is due to lack of sanitization in the Display template option, administrators should restrict permissions to trusted users only and avoid granting content/:models/manage permission broadly. Monitor vendor channels for an official fix or update. Until a patch is available, consider disabling or limiting use of the Set field type's Display template feature if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-14T22:02:15.208Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a075665ec166c07b0723465
Added to database: 5/15/2026, 5:22:45 PM
Last enriched: 5/15/2026, 5:37:58 PM
Last updated: 5/15/2026, 8:46:55 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.