CVE-2026-24907

MEDIUM

October CMS has Stored XSS via Event Log Mail Preview

Title source: cna

Description

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc

Scores

CVSS v3 5.4

EPSS 0.0020

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

october/system 4.0.0 - 4.1.10Packagist

octobercms/october < 3.7.13

octobercms/october < 3.7.14

octobercms/october >= 4.0.0, < 4.1.10

Published Apr 14, 2026

Tracked Since Apr 14, 2026