CVE-2026-24906: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnera...

Description

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only

Metrics

CVSS 3.1

5.4/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0

5.1/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.25%

16.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Octobercms	October	<= 3.7.13
Octobercms	October	>= 4.0.0, <= 4.1.9

References

https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7Vendor Advisory

Timeline

Published: Apr 14, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-24906?

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only

How severe is CVE-2026-24906?

CVE-2026-24906 has a CVSS score of 5.1/10 (MEDIUM severity). The EPSS model estimates a 0.25% probability of exploitation in the next 30 days.

How do I fix CVE-2026-24906?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.