CVE-2026-24907Cross-site Scripting in October

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.1MEDIUMNVD
EPSS
0.0%
top 90.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Octobercms OctoberOctober System
Timeline
PublishedApr 14

Description

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail tem

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

Packagistoctober/system4.0.04.1.10+1
CVEListV5octobercms/october< 3.7.14+1

🔴Vulnerability Details

2
VulDB
October CMS up to 3.7.13/4.1.9 Mail Message cross site scripting (GHSA-j4j5-9x6g-rgxc)2026-04-14
GHSA
October CMS has Stored XSS in Event Log Mail Preview2026-04-14