Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.
AnalysisAI
Stored cross-site scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated users with Event Log viewing permissions to execute arbitrary JavaScript in other users' browsers via malicious HTML content in the mail preview iframe. The vulnerability stems from improper iframe sandboxing when rendering logged email messages, affecting confidentiality and integrity with a CVSS score of 5.1. No public exploit code has been identified at the time of analysis.
Technical ContextAI
October CMS is a Laravel-based content management system that logs email communications for administrative review. The Event Log mail preview feature renders HTML email content within an iframe element without proper Content Security Policy (CSP) sandboxing or attribute restrictions. The underlying flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-controlled email template content is rendered without sanitization. An authenticated attacker can inject malicious JavaScript into email templates or logged messages, which executes in the context of any administrator or user viewing that log entry, bypassing same-origin restrictions due to missing sandbox attributes or Content-Security-Policy headers on the iframe.
RemediationAI
Upgrade October CMS to version 3.7.14 or later for the 3.x branch, or to version 4.1.10 or later for the 4.x branch. Vendor-released patches are available for both affected release lines. If immediate patching is not feasible, implement interim controls by restricting mail template editing permissions to fully trusted administrators only and limiting Event Log viewing permissions to authorized personnel. These workarounds reduce the attack surface by limiting who can inject malicious content and who can trigger the XSS payload. Detailed guidance is available in the official advisory at https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc.
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise
An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely
octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for po
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulner
October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vu
October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromis
October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating
October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG fil
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrar
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary w
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22660
GHSA-j4j5-9x6g-rgxc