Cockpit CMS v2.6.3 Installation: https://github.com/Cockpit-HQ/Cockpit
Step 1: Access to http://localhost/Cockpit/auth/login?to=%2F and log in to an account that has permission to upload assets. Go to Assets and click "Upload Asset" button to upload file.
Step 2: In upload feature, inject payload XSS: <img src=x onerror=alert('XSS_by_NCS');> into content file, and filename has the extension .shtml
Step 3: Access to images by using link in "Copy asset link"
And XSS payload will execute