CVE-2026-24907

| EUVD-2026-22660 MEDIUM
2026-04-14 GitHub_M GHSA-j4j5-9x6g-rgxc
XSS
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 14, 2026 - 19:43 vuln.today
CVSS Changed
Apr 14, 2026 - 18:22 NVD
5.1 (MEDIUM)

DescriptionNVD

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.

AnalysisAI

Stored cross-site scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated users with Event Log viewing permissions to execute arbitrary JavaScript in other users' browsers via malicious HTML content in the mail preview iframe. The vulnerability stems from improper iframe sandboxing when rendering logged email messages, affecting confidentiality and integrity with a CVSS score of 5.1. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-24907 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy