cbcvebase.
CVE-2026-27937
published 2026-04-21

CVE-2026-27937: October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified…

PriorityP413low3.1CVSS 3.1
AVNACHPRNUIRSUCNILAN
EPSS
0.14%
4.0th percentile
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.

Affected

4 ranges
VendorProductVersion rangeFixed in
octobersystem>= 0 < 3.7.163.7.16
octobersystem>= 4.0.0
octobercmsoctober< 3.7.163.7.16
octobercmsoctober
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.