CVE-2026-24907
Received Received - Intake

Stored XSS in October CMS Event Log Mail Preview

Vulnerability report for CVE-2026-24907, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-14

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-14
Last Modified
2026-04-21
Generated
2026-07-06
AI Q&A
2026-04-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
octobercms october to 3.7.13 (inc)
octobercms october From 4.0.0 (inc) to 4.1.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability immediately, update October CMS to version 3.7.14 or 4.1.10 where the issue is fixed.

If updating is not possible right away, apply the following workarounds:

  • Restrict mail template editing permissions to fully trusted administrators only.
  • Restrict Event Log viewing permissions to minimize exposure.
Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue found in the October Content Management System (CMS) and web platform versions prior to 3.7.14 and 4.1.10. It occurs in the Event Log mail preview feature, where HTML content from logged mail messages is rendered inside an iframe without proper sandboxing. This lack of sandboxing allows malicious JavaScript code embedded in the mail content to execute in the browser context of the user viewing the log.

Impact Analysis

The vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who view the logged mail messages. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the user within the CMS. The impact is heightened if users with elevated permissions view the logs, potentially compromising the security of the system.

If immediate updates are not possible, mitigating the risk involves restricting mail template editing permissions to fully trusted administrators and limiting Event Log viewing permissions to reduce exposure.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability is a stored cross-site scripting (XSS) issue in the Event Log mail preview feature of OctoberCMS versions prior to 3.7.14 and 4.1.10. Detection involves verifying the version of OctoberCMS in use and checking for unauthorized or suspicious mail template edits that could inject malicious HTML or JavaScript.

Since exploitation requires authenticated backend access with mail template editing permissions, detection can focus on auditing user permissions and recent changes to mail templates.

There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart