Skip to main content

October CMS CVE-2026-27937

| EUVDEUVD-2026-24157 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 GitHub_M GHSA-jj38-h5w5-mvpf
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:08 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:01 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 16:30 euvd
EUVD-2026-24157
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVE Published
Apr 21, 2026 - 16:17 nvd
LOW 3.1

DescriptionGitHub Advisory

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.

AnalysisAI

Reflected cross-site scripting (XSS) in October CMS backend DataTable widget allows unauthenticated remote attackers to inject arbitrary JavaScript via a query parameter, requiring user interaction to execute malicious code. The vulnerability affects versions prior to 3.7.16 and 4.1.16, with a low severity CVSS score of 3.1 reflecting the requirement for high attack complexity and user clicking a malicious link.

Technical ContextAI

The vulnerability exists in the backend DataTable widget, a server-side interface component used for data display and management. A query parameter is rendered into the HTML response without proper output encoding or sanitization, allowing an attacker to break out of the HTML context and inject script tags or event handlers. This is a classic reflected XSS (CWE-79) vulnerability where untrusted input flows directly from the HTTP request to the response. The attack vector is network-accessible, but the high attack complexity requirement (AC:H) suggests either the parameter must be crafted carefully or the vulnerable code path is not trivially exposed, such as requiring a specific browser behavior or encoding bypass.

RemediationAI

Upgrade to October CMS 3.7.16 or 4.1.16 or later, depending on the currently deployed major version. Both versions contain the fix implementing proper output encoding of query parameters in the DataTable widget. Administrators should test the upgrade in a non-production environment before deploying to production to ensure no custom extensions are broken by the fix. If immediate patching is not possible, restrict backend access to trusted networks only using web server firewall rules or reverse proxy authentication, and educate users not to click links to the backend from untrusted sources. These compensating controls reduce the attack surface by limiting who can be socially engineered into clicking a malicious link, though they do not eliminate the vulnerability itself.

CVE-2017-1000119 HIGH POC
7.2 Oct 05

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise

CVE-2021-3311 CRITICAL POC
9.8 Feb 05

An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2021-32648 CRITICAL POC
9.1 Aug 26

octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2017-16244 HIGH POC
8.8 Nov 01

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for po

CVE-2022-21705 HIGH POC
7.2 Feb 23

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulner

CVE-2018-7198 MEDIUM POC
6.1 Feb 18

October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vu

CVE-2017-1000196 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromis

CVE-2017-1000197 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating

CVE-2017-1000194 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site

CVE-2017-15284 MEDIUM POC
5.4 Oct 12

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG fil

CVE-2015-5613 MEDIUM POC
5.4 Sep 28

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrar

CVE-2023-43876 MEDIUM POC
5.4 Sep 28

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary w

Share

CVE-2026-27937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy