Cockpit CMS up to and including version 2.14.0 stores an unescaped value supplied to a Set field type’s Display template option. The template string is processed by a JavaScript interpolate function that compiles the content with new Function() and then is rendered via Vue’s v‑html directive without sanitization. An attacker with the content/:models/manage permission can inject arbitrary JavaScript into that template, causing the code to run in the browser context of every user who views the corresponding collection items list. The impact is the theft of cookies or other browser‑side secrets, manipulation of page content, or execution of arbitrary actions on behalf of the logged‑in user.

The vulnerability affects Cockpit CMS version 2.14.0 and earlier. The patch provided in commit 72a83fc addresses the issue; upgrading past 2.14.0 or applying that commit resolves the flaw.

The CVSS score of 5.1 indicates a moderate severity. No EPSS score is publicly available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploits. However, the requirement of content/:models/manage permission means an attacker must be authenticated with that capability; once granted, the XSS can be used by any user who subsequently views the affected collection items. Internal attackers or compromised accounts with the necessary permission represent the most realistic threat vectors.