CVE-2026-24907
Received Received - Intake
Stored XSS in October CMS Event Log Mail Preview

Publication date: 2026-04-14

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24907
EUVD
EUVD-2026-22660
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
octobercms october to 3.7.13 (inc)
octobercms october From 4.0.0 (inc) to 4.1.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the Event Log mail preview feature of OctoberCMS versions prior to 3.7.14 and 4.1.10. Detection involves verifying the version of OctoberCMS in use and checking for unauthorized or suspicious mail template edits that could inject malicious HTML or JavaScript.

Since exploitation requires authenticated backend access with mail template editing permissions, detection can focus on auditing user permissions and recent changes to mail templates.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Mitigation Strategies

To mitigate this vulnerability immediately, update October CMS to version 3.7.14 or 4.1.10 where the issue is fixed.

If updating is not possible right away, apply the following workarounds:

  • Restrict mail template editing permissions to fully trusted administrators only.
  • Restrict Event Log viewing permissions to minimize exposure.
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue found in the October Content Management System (CMS) and web platform versions prior to 3.7.14 and 4.1.10. It occurs in the Event Log mail preview feature, where HTML content from logged mail messages is rendered inside an iframe without proper sandboxing. This lack of sandboxing allows malicious JavaScript code embedded in the mail content to execute in the browser context of the user viewing the log.

Impact Analysis

The vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who view the logged mail messages. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the user within the CMS. The impact is heightened if users with elevated permissions view the logs, potentially compromising the security of the system.

If immediate updates are not possible, mitigating the risk involves restricting mail template editing permissions to fully trusted administrators and limiting Event Log viewing permissions to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart