Primary

Context

Cockpit CMS Stored Cross-Site Scripting Vulnerability in Set Field Display Template

Vulnerability

A stored cross-site scripting vulnerability has been identified in Cockpit CMS versions through 2.14.0. This issue, patched in commit 72a83fc, arises in the Set field type's Display template option. The vulnerability occurs because the template string is processed by the $interpolate function using new Function(), and then rendered via Vue's v-html directive without proper sanitization. An attacker with content/:models/manage permission can inject arbitrary JavaScript into the Display template, which is executed in the browser of any user viewing the collection items list.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the affected collection items.

Remediation

Users can update to Cockpit CMS version 2.14.0 or later to address this vulnerability.

Added: May 15, 2026, 5:31 PM

Updated: May 15, 2026, 5:31 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.0

exploitability

5.7

remediation

0.0

relevance

8.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.0

exploitability

5.7

remediation

0.0

relevance

8.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Cockpit CMS Stored Cross-Site Scripting Vulnerability in Set Field Display Template

Vulnerability

Impact

Remediation

Affected Products

Cockpit CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating