CVE-2026-24907
Stored XSS in October CMS Event Log Mail Preview
Publication date: 2026-04-14
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octobercms | october | to 3.7.13 (inc) |
| octobercms | october | From 4.0.0 (inc) to 4.1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update October CMS to version 3.7.14 or 4.1.10 where the issue is fixed.
If updating is not possible right away, apply the following workarounds:
- Restrict mail template editing permissions to fully trusted administrators only.
- Restrict Event Log viewing permissions to minimize exposure.
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue found in the October Content Management System (CMS) and web platform versions prior to 3.7.14 and 4.1.10. It occurs in the Event Log mail preview feature, where HTML content from logged mail messages is rendered inside an iframe without proper sandboxing. This lack of sandboxing allows malicious JavaScript code embedded in the mail content to execute in the browser context of the user viewing the log.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users who view the logged mail messages. This can lead to unauthorized actions such as session hijacking, data theft, or performing actions on behalf of the user within the CMS. The impact is heightened if users with elevated permissions view the logs, potentially compromising the security of the system.
If immediate updates are not possible, mitigating the risk involves restricting mail template editing permissions to fully trusted administrators and limiting Event Log viewing permissions to reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) issue in the Event Log mail preview feature of OctoberCMS versions prior to 3.7.14 and 4.1.10. Detection involves verifying the version of OctoberCMS in use and checking for unauthorized or suspicious mail template edits that could inject malicious HTML or JavaScript.
Since exploitation requires authenticated backend access with mail template editing permissions, detection can focus on auditing user permissions and recent changes to mail templates.
There are no specific commands provided in the available resources to detect this vulnerability directly on the network or system.