Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only
Published: 2026-04-14
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS that can execute JavaScript when a privileged user opens a RichEditor
Action: Patch immediately
AI Analysis

Impact

October CMS versions before 3.7.14 and 4.1.10 embed unsanitized input from the Markup Classes fields into the Froala editor dropdowns. The vulnerability allows a user to place malicious JavaScript payloads in CSS class attributes. When a user with editor setting permissions opens a RichEditor, the script runs in the victim’s browser, potentially leading to higher privilege use or session hijacking. The weakness is a stored cross‑site scripting flaw.

Affected Systems

The flaw impacts October CMS products from the October vendor, specifically all releases older than 3.7.14 and 4.1.10. Any deployment of these versions that allows editing of content via the Backend Editor is susceptible unless the editor settings permissions have already been restricted to trusted administrators.

Risk and Exploitability

The CVSS base score is 5.1, indicating moderate severity. Exploitation requires authenticated backend access with editor settings permissions, so the likelihood is limited to users granted those rights. No EPSS score is reported, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is therefore constrained to legitimate administrators; however, the impact could allow privilege escalation if a superuser triggers the vulnerable editor. The known fix exists in the stated versions, and in its absence a corrective workaround can be applied by limiting editor settings permissions.

Generated by OpenCVE AI on April 14, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade October CMS to version 3.7.14 or 4.1.10 or later
  • If upgrading is not immediately possible, restrict editor settings permissions to fully trusted administrators only as a temporary measure
  • Verify that no existing content contains malicious CSS class values in the editor
  • Monitor logs for attempts to inject unexpected markup classes and review editor usage after applying the fix

Generated by OpenCVE AI on April 14, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6qmh-j78v-ffp7 October CMS has Stored XSS in Backend Editor Markup Classes
History

Tue, 21 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only
Title October CMS has Stored XSS in its Backend Editor Markup Classes
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:46:05.447Z

Reserved: 2026-01-27T19:35:20.530Z

Link: CVE-2026-24906

cve-icon Vulnrichment

Updated: 2026-04-16T13:46:01.037Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T18:16:45.063

Modified: 2026-04-21T17:24:04.290

Link: CVE-2026-24906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses