CVE-2026-27937
published 2026-04-21CVE-2026-27937: October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified…
PriorityP413low3.1CVSS 3.1
AVNACHPRNUIRSUCNILAN
EPSS
0.14%
4.0th percentile
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | system | >= 0 < 3.7.16 | 3.7.16 |
| october | system | >= 4.0.0 | — |
| octobercms | october | < 3.7.16 | 3.7.16 |
| octobercms | october | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
October CMS: Reflected XSS via DataTable Form Widget
ghsa·2026-04-21
CVE-2026-27937 [LOW] CWE-79 October CMS: Reflected XSS via DataTable Form Widget
October CMS: Reflected XSS via DataTable Form Widget
A reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping.
### Impact
- Reflected XSS only, no stored/persistent component
- The backend URL prefix is customizable and must be known or guessed by the attacker
- Requires an authenticated backend user to visit a crafted URL
- No direct access is gained without social engineering
### Patches
The vulnerability has been patched in v3.7.16 and v4.1.16. The affected parameter is now properly escaped. All users are encouraged to upgrade to the latest patched version.
### Workarounds
- Use a non-default backend URL prefix (recommended as standard practice)
- Implement a Content Securi
VulDB
October CMS up to 3.7.15/4.1.15 DataTable Widget cross site scripting
vuldb·2026-04-21·CVSS 3.1
CVE-2026-27937 [LOW] October CMS up to 3.7.15/4.1.15 DataTable Widget cross site scripting
A vulnerability has been found in October CMS up to 3.7.15/4.1.15 and classified as problematic. This vulnerability affects unknown code of the component DataTable Widget. Performing a manipulation results in cross site scripting.
This vulnerability is known as CVE-2026-27937. Remote exploitation of the attack is possible. No exploit is available.
The affected component should be upgraded.
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated Object Disclosure via Dropdown Component (CVE-2024-27937, CVE-2024-27930)
suricata·2026-01-28·CVSS 6.5
CVE-2024-27937 [MEDIUM] ET WEB_SPECIFIC_APPS GLPI Authenticated Object Disclosure via Dropdown Component (CVE-2024-27937, CVE-2024-27930)
ET WEB_SPECIFIC_APPS GLPI Authenticated Object Disclosure via Dropdown Component (CVE-2024-27937, CVE-2024-27930)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated Object Disclosure via Dropdown Component (CVE-2024-27937, CVE-2024-27930)"; flow:established,to_server; http.uri; content:"/ajax/getDropdownValue.php"; fast_pattern; http.request_body; content:"_idor_token|3d|"; content:"itemtype|3d|"; content:"displaywith|5b 5d 3d|"; content:"entity_restrict|3d|-1"; http.method; content:"POST"; reference:url,github.com/Orange-Cyberdefense/glpwnme/; reference:cve,2024-27937; reference:cve,2024-27930; classtype:web-application-attack; sid:2067164; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CV
No public exploits indexed.
No writeups or analysis indexed.
2026-04-21
Published