CVE-2026-24906
Stored XSS in October CMS Backend Editor Enables Privilege Escalation
Publication date: 2026-04-14
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octobercms | october | to 3.7.13 (inc) |
| octobercms | october | From 4.0.0 (inc) to 4.1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-24906 is a stored cross-site scripting (XSS) vulnerability in the Backend Editor Settings of OctoberCMS, specifically in the Markup Classes fields used for paragraph styles, inline styles, and table styles.
These fields did not properly sanitize input to allow only valid CSS class name characters, which allowed malicious JavaScript code to be stored.
When these malicious values are rendered unsanitized in the Froala editor dropdown menus within the RichEditor interface, JavaScript executes as soon as any user opens the editor.
Exploitation requires authenticated backend access with editor settings permissions and can lead to privilege escalation if a superuser opens any RichEditor instance during routine content editing.
The vulnerability affects versions prior to 3.7.14 and 4.1.10 and has been fixed in those versions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with authenticated backend access and editor settings permissions to inject malicious JavaScript code that executes when any user opens the RichEditor.
The impact includes potential privilege escalation, especially if a superuser opens the editor, which could lead to unauthorized actions or control within the CMS.
Routine content editing operations become attack vectors, increasing the risk of compromise for users with elevated permissions.
Until patched, the risk can be mitigated by restricting editor settings permissions to fully trusted administrators only.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored malicious input in the Markup Classes fields of the Backend Editor Settings in OctoberCMS versions prior to 3.7.14 and 4.1.10. Detection involves checking for unsanitized or suspicious CSS class names in these fields.
Since the vulnerability requires authenticated backend access with editor settings permissions, detection can focus on reviewing the content of the Markup Classes fields in the backend editor settings for any unusual or suspicious characters or scripts.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OctoberCMS to versions 3.7.14 or 4.1.10 or later, where this vulnerability has been fixed.
As a temporary workaround before upgrading, restrict editor settings permissions exclusively to fully trusted administrators to reduce the risk of exploitation.