Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only
AnalysisAI
Stored Cross-Site Scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated backend users with editor settings permissions to inject malicious JavaScript into Markup Classes fields, which executes unsanitized in the Froala editor dropdown menus when any user-including superusers-opens a RichEditor. This enables privilege escalation when a superuser performs routine content editing tasks. CVSS 5.1 indicates moderate risk; exploitation requires authenticated backend access and user interaction (opening an editor), but the stored nature of the payload and privilege escalation potential elevate real-world concern. No public exploit code or active CISA KEV status reported.
Technical ContextAI
October CMS is a Laravel-based content management system (CPE: cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*). The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically in the backend Editor Settings component. The Markup Classes fields-used to define paragraph styles, inline styles, and table styles-accept user input that is rendered directly into the Froala rich-text editor's dropdown menus without sanitization. The Froala editor, a third-party JavaScript component, renders these class definitions in the DOM; because the input was not restricted to valid CSS class name characters (which should match the regex [a-zA-Z_-][a-zA-Z0-9_-]*), an attacker can inject HTML/JavaScript payloads. When these unsanitized values are rendered into the editor's UI, the browser executes any embedded scripts in the context of the authenticated user's session.
RemediationAI
Upgrade October CMS to version 3.7.14 or 4.1.10 or later, which include input sanitization for Markup Classes fields. Vendor-released patches are available at https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7. As an interim workaround, restrict editor settings permissions to fully trusted administrators only, thereby preventing unprivileged users from injecting payloads into Markup Classes fields. Monitor backend access logs for suspicious editor settings modifications and review existing Markup Classes values for any suspicious or malformed entries that may indicate prior exploitation attempts.
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise
An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely
octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for po
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulner
October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vu
October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromis
October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating
October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG fil
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrar
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary w
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22659
GHSA-6qmh-j78v-ffp7