CVE-2026-27937

LOW

October: Reflected XSS via DataTable Form Widget

Title source: cna

Description

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.

References (1)

[X_Refsource_Confirm] https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf

Scores

CVSS v3 3.1

EPSS 0.0003

EPSS Percentile 9.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

october/system 0 - 3.7.16Packagist

octobercms/october < 3.7.16

octobercms/october >= 4.0.0, < 4.1.16

Published Apr 21, 2026

Tracked Since Apr 21, 2026