Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
October CMS: Untrusted Editor Settings Can Execute Malicious Code
CVE-2026-24906
GHSA-6qmh-j78v-ffp7
GHSA-6qmh-j78v-ffp7
Summary
Old versions of October CMS have a security flaw that could allow an attacker to take over the system by tricking an administrator into opening a specially crafted document. To fix this, update to version 3.7.14 or 4.1.10, or limit editor settings access to trusted administrators only.
What to do
- Update october system to version 4.1.10.
- Update october system to version 3.7.14.
- Update october october/system to version 4.1.10.
- Update october october/system to version 3.7.14.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | october | system |
>= 4.0.0, <= 4.1.9 <= 3.7.13 Fix: upgrade to 4.1.10
|
| Packagist | october | october/system |
>= 4.0.0, < 4.1.10 < 3.7.14 Fix: upgrade to 4.1.10
|
Original title
October CMS has Stored XSS in Backend Editor Markup Classes
Original description
A stored cross-site scripting (XSS) vulnerability was identified in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor.
### Impact
- Stored XSS via editor settings rendered in RichEditor dropdowns
- Could allow privilege escalation if a superuser opens any RichEditor (e.g., editing a blog post)
- Requires authenticated backend access with editor settings permissions
- Triggers on routine content editing operations
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Restrict editor settings permissions to fully trusted administrators only
### References
- Reported by [Chris Alupului](https://github.com/neosprings)
### Impact
- Stored XSS via editor settings rendered in RichEditor dropdowns
- Could allow privilege escalation if a superuser opens any RichEditor (e.g., editing a blog post)
- Requires authenticated backend access with editor settings permissions
- Triggers on routine content editing operations
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Restrict editor settings permissions to fully trusted administrators only
### References
- Reported by [Chris Alupului](https://github.com/neosprings)
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 14 Apr 2026 · Updated: 16 Apr 2026 · First seen: 14 Apr 2026