CVE-2026-24906
Received Received - Intake
Stored XSS in October CMS Backend Editor Enables Privilege Escalation

Publication date: 2026-04-14

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24906
EUVD
EUVD-2026-22659
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
octobercms october to 3.7.13 (inc)
octobercms october From 4.0.0 (inc) to 4.1.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24906 is a stored cross-site scripting (XSS) vulnerability in the Backend Editor Settings of OctoberCMS, specifically in the Markup Classes fields used for paragraph styles, inline styles, and table styles.

These fields did not properly sanitize input to allow only valid CSS class name characters, which allowed malicious JavaScript code to be stored.

When these malicious values are rendered unsanitized in the Froala editor dropdown menus within the RichEditor interface, JavaScript executes as soon as any user opens the editor.

Exploitation requires authenticated backend access with editor settings permissions and can lead to privilege escalation if a superuser opens any RichEditor instance during routine content editing.

The vulnerability affects versions prior to 3.7.14 and 4.1.10 and has been fixed in those versions.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow an attacker with authenticated backend access and editor settings permissions to inject malicious JavaScript code that executes when any user opens the RichEditor.

The impact includes potential privilege escalation, especially if a superuser opens the editor, which could lead to unauthorized actions or control within the CMS.

Routine content editing operations become attack vectors, increasing the risk of compromise for users with elevated permissions.

Until patched, the risk can be mitigated by restricting editor settings permissions to fully trusted administrators only.

Detection Guidance

This vulnerability involves stored malicious input in the Markup Classes fields of the Backend Editor Settings in OctoberCMS versions prior to 3.7.14 and 4.1.10. Detection involves checking for unsanitized or suspicious CSS class names in these fields.

Since the vulnerability requires authenticated backend access with editor settings permissions, detection can focus on reviewing the content of the Markup Classes fields in the backend editor settings for any unusual or suspicious characters or scripts.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade OctoberCMS to versions 3.7.14 or 4.1.10 or later, where this vulnerability has been fixed.

As a temporary workaround before upgrading, restrict editor settings permissions exclusively to fully trusted administrators to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart