MEDIUM
Cockpit-HQ
CVE published 2026-05-15
CVE-2026-23695
A stored cross-site scripting (XSS) vulnerability exists in Cockpit CMS through version 2.14.0. The vulnerability resides in the Set field type's Display template option, where template strings are processed by the $interpolate function using new Function() and subsequently rendered via Vue's v-html directive without adequate sanitization. An attacker possessing content/:models/manage permissions can inje [truncated]