Description
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.
Published: 2026-04-21
Score: 3.1 Low
EPSS: n/a
KEV: No
Impact: Reflected Cross‑Site Scripting in the backend DataTable widget
Action: Patch
AI Analysis

Impact

A reflected Cross‑Site Scripting flaw exists in the backend DataTable widget of October CMS where a query parameter is rendered without proper output escaping. An attacker who can craft a URL to the admin interface can trigger the injection, causing arbitrary client‑side script to run in the context of users who access the page. This may lead to session theft, cookie theft, defacement, or the delivery of malicious payloads to administrators.

Affected Systems

The vulnerability affects Octobercms October CMS versions prior to 3.7.16 for the 3.x line and prior to 4.1.16 for the 4.x line. The affected product is listed as octobercms:october.

Risk and Exploitability

The CVSS score is 3.1, indicating a low severity impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. However, the flaw requires the attacker to target the backend, implying that it is exploitable only if an attacker can gain access to an admin user’s session or trick an administrator into visiting the crafted link. The risk is therefore moderate in environments where the backend is exposed to untrusted users but could be higher if administrators frequently open links from untrusted sources.

Generated by OpenCVE AI on April 21, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade October CMS to version 3.7.16 or newer 4.1.16, which removes the reflected XSS flaw.
  • If an immediate upgrade is not possible, enforce proper output encoding or sanitize all query parameters that are rendered in the admin interface to prevent script injection.
  • As a temporary measure, disable or remove the DataTable widget from all backend pages until a patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jj38-h5w5-mvpf October CMS: Reflected XSS via DataTable Form Widget
History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.
Title October: Reflected XSS via DataTable Form Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:37:33.620Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27937

cve-icon Vulnrichment

Updated: 2026-04-21T20:27:42.669Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:35.900

Modified: 2026-04-21T17:16:35.900

Link: CVE-2026-27937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses