CVE-2026-24906 — Cross-site Scripting in October

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 98.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October System

Timeline

PublishedApr 14

Description

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lea…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶Packagistoctober/system4.0.0 — 4.1.10+1

▶CVEListV5octobercms/october< 3.7.14+1

🔴Vulnerability Details

GHSA

October CMS has Stored XSS in Backend Editor Markup Classes↗2026-04-14

▶

VulDB

October CMS up to 3.7.13/4.1.9 Setting cross site scripting (GHSA-6qmh-j78v-ffp7)↗2026-04-14

▶