PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23695 Cockpit-HQ CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in Cockpit CMS through version 2.14.0. The vulnerability resides in the Set field type's Display template option, where template strings are processed by the $interpolate function using new Function() and subsequently rendered via Vue's v-html directive without adequate sanitization. An attacker possessing content/:models/manage permissions can inject arbitrary JavaScript into the Display template. This injected script executes in the browser of any user viewing the affected collection items list. The vulnerability was remediated in commit 72a83fc.

Vendor
Cockpit-HQ
Product
Cockpit
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-18
Advisory published
2026-05-15
Advisory updated
2026-05-18

Who should care

Organizations running Cockpit CMS versions 2.14.0 or earlier with multiple content administrators; security teams monitoring for stored XSS in headless CMS platforms; developers implementing custom field types with template interpolation

Technical summary

The vulnerability stems from unsafe template processing in Cockpit CMS's Set field type. The $interpolate function evaluates template strings using new Function(), creating arbitrary code execution potential. Combined with Vue's v-html directive—which renders HTML without escaping—this allows stored JavaScript payloads to execute in victim browsers. Attack requires content/:models/manage permission, limiting exploitation to authenticated users with model management capabilities.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Cockpit CMS to a version incorporating commit 72a83fc or later
  • Review and audit Set field Display templates for unauthorized JavaScript injection
  • Restrict content/:models/manage permissions to trusted administrative users only
  • Implement Content Security Policy (CSP) headers to mitigate impact of XSS vulnerabilities
  • Enable output encoding and sanitization for all user-controlled template content rendered via Vue's v-html directive

Evidence notes

Vulnerability confirmed through official NVD record and Vulncheck advisory. Patch commit 72a83fcfe85ad8330e9ae834bc02fa517b5749e9 identified as remediation. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring low privileges and user interaction.

Official resources

2026-05-15