CVE-2026-27937Cross-site Scripting in October

CWE-79Cross-site Scripting3 documents3 sources
Severity
3.1LOWNVD
EPSS
0.0%
top 90.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Octobercms OctoberOctober System
Timeline
PublishedApr 21

Description

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

Packagistoctober/system< 3.7.16+1
CVEListV5octobercms/october< 3.7.16+1

🔴Vulnerability Details

2
GHSA
October CMS: Reflected XSS via DataTable Form Widget2026-04-21
VulDB
October CMS up to 3.7.15/4.1.15 DataTable Widget cross site scripting2026-04-21
CVE-2026-27937 — Cross-site Scripting in October | cvebase