October CMS CVE-2026-27937

| EUVD-2026-24157 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 GitHub_M GHSA-jj38-h5w5-mvpf
XSS
3.1
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:01 vuln.today

DescriptionNVD

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.

AnalysisAI

Reflected cross-site scripting (XSS) in October CMS backend DataTable widget allows unauthenticated remote attackers to inject arbitrary JavaScript via a query parameter, requiring user interaction to execute malicious code. The vulnerability affects versions prior to 3.7.16 and 4.1.16, with a low severity CVSS score of 3.1 reflecting the requirement for high attack complexity and user clicking a malicious link.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-27937 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy