{"id":"CVE-2026-23695","summary":"Cockpit CMS 2.14.0 Stored XSS via Set Field Display Template","details":"Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.","aliases":["GHSA-ch4j-vcf5-58x5"],"modified":"2026-07-08T08:12:25.715707222Z","published":"2026-05-15T16:33:46.897Z","database_specific":{"cna_assigner":"VulnCheck","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23695.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23695.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23695"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/cockpit-cms-stored-xss-via-set-field-display-template"},{"type":"FIX","url":"https://github.com/Cockpit-HQ/Cockpit/commit/72a83fcfe85ad8330e9ae834bc02fa517b5749e9"},{"type":"PACKAGE","url":"https://github.com/Cockpit-HQ/Cockpit"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cockpit-hq/cockpit","events":[{"introduced":"0"},{"fixed":"dde2d1d74f5f4e11de42a298918ea8c9684f932c"},{"fixed":"72a83fcfe85ad8330e9ae834bc02fa517b5749e9"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.14.0"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["2.14.0","2.13.5","2.13.4","2.13.3","2.13.2","2.13.1","2.13.0","2.12.1","2.12.0","2.11.4","2.11.3","2.11.2","2.11.1","2.11.0","2.10.3","2.10.2","2.10.1","2.10.0","2.9.4","2.9.3","2.9.2","2.9.1","2.9.0","2.8.6","2.8.5","2.8.4","2.8.3","2.8.2","2.8.1","2.8.0","2.7.2","2.7.1","2.7.0","2.6.3","2.6.2","2.6.1","2.6.0","2.5.2","2.5.1","2.5.0","2.4.1","2.4.0","2.3.9","2.3.8","2.3.7","2.3.6","2.3.5","2.3.4","2.3.3","2.3.2","2.3.1","2.3.0","2.2.2","2.2.1","2.2.0","2.1.2","2.1.1","2.1.0","2.0.2","2.0.1","2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23695.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}