Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.
Published: 2026-04-14
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

October CMS versions before 3.7.14 and 4.1.10 store email preview content directly in an iframe that lacks a sandbox, allowing embedded JavaScript to run in the viewer’s browser. This stored XSS can be used to hijack user sessions, steal cookies or perform other malicious actions within the context of the victim’s administrative session, impacting confidentiality and integrity of the CMS data.

Affected Systems

October CMS products released before version 3.7.14 or 4.1.10 are vulnerable. Administrators and users who can access the Event Log mail preview feature are directly affected.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. No EPSS score is available, and the vulnerability is not currently listed in CISA’s KEV catalog, suggesting there is no widely known exploit at present. Exploitation requires the attacker to have authenticated access to a user who can view the mail preview in the Event Log; if such access is obtained, the stored JavaScript can execute without further user interaction. Because the flaw is only triggered when the preview is rendered, the attack surface is limited to users with permission to view the Event Log.

Generated by OpenCVE AI on April 14, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade October CMS to version 3.7.14 or 4.1.10.
  • Restrict mail template editing permissions to fully trusted administrators.
  • Limit Event Log viewing permissions to reduce exposure.

Generated by OpenCVE AI on April 14, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j4j5-9x6g-rgxc October CMS has Stored XSS in Event Log Mail Preview
History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.
Title October CMS has Stored XSS via Event Log Mail Preview
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T19:29:45.761Z

Reserved: 2026-01-27T19:35:20.530Z

Link: CVE-2026-24907

cve-icon Vulnrichment

Updated: 2026-04-14T19:29:40.684Z

cve-icon NVD

Status : Received

Published: 2026-04-14T18:16:45.233

Modified: 2026-04-14T18:16:45.233

Link: CVE-2026-24907

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses