CVE-2026-24906: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in octobercms october
OctoberCMS versions prior to 3. 7. 14 and 4. 1. 10 contain a stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The vulnerability arises because the Markup Classes fields do not properly sanitize input, allowing malicious JavaScript to execute when a user opens a RichEditor. Exploitation requires authenticated backend access with editor settings permissions and could lead to privilege escalation if a superuser opens the editor. The issue has been fixed in versions 3. 7. 14 and 4.
AI Analysis
Technical Summary
CVE-2026-24906 is a stored XSS vulnerability in OctoberCMS's Backend Editor Settings affecting versions before 3.7.14 and between 4.0.0 and 4.1.10. The Markup Classes fields, which define paragraph, inline, and table styles, do not sanitize input to valid CSS class name characters. This allows malicious input to be rendered unsanitized in Froala editor dropdown menus, enabling JavaScript execution when any user opens a RichEditor. Exploitation requires authenticated backend access with editor settings permissions and can lead to privilege escalation if a superuser opens the editor during content editing. The vulnerability is fixed in versions 3.7.14 and 4.1.10.
Potential Impact
Successful exploitation allows an attacker with editor settings permissions to execute arbitrary JavaScript in the context of the backend interface, potentially leading to privilege escalation if a superuser opens the RichEditor. This could compromise the integrity of the CMS backend and allow unauthorized actions. The vulnerability requires authenticated access and specific permissions, limiting the attack surface.
Mitigation Recommendations
This vulnerability is fixed in OctoberCMS versions 3.7.14 and 4.1.10. Users should upgrade to these or later versions to remediate the issue. Until patched, restrict editor settings permissions strictly to fully trusted administrators to reduce the risk of exploitation.
CVE-2026-24906: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in octobercms october
Description
OctoberCMS versions prior to 3. 7. 14 and 4. 1. 10 contain a stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The vulnerability arises because the Markup Classes fields do not properly sanitize input, allowing malicious JavaScript to execute when a user opens a RichEditor. Exploitation requires authenticated backend access with editor settings permissions and could lead to privilege escalation if a superuser opens the editor. The issue has been fixed in versions 3. 7. 14 and 4.
CVSS v4.0
Score 5.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-24906 is a stored XSS vulnerability in OctoberCMS's Backend Editor Settings affecting versions before 3.7.14 and between 4.0.0 and 4.1.10. The Markup Classes fields, which define paragraph, inline, and table styles, do not sanitize input to valid CSS class name characters. This allows malicious input to be rendered unsanitized in Froala editor dropdown menus, enabling JavaScript execution when any user opens a RichEditor. Exploitation requires authenticated backend access with editor settings permissions and can lead to privilege escalation if a superuser opens the editor during content editing. The vulnerability is fixed in versions 3.7.14 and 4.1.10.
Potential Impact
Successful exploitation allows an attacker with editor settings permissions to execute arbitrary JavaScript in the context of the backend interface, potentially leading to privilege escalation if a superuser opens the RichEditor. This could compromise the integrity of the CMS backend and allow unauthorized actions. The vulnerability requires authenticated access and specific permissions, limiting the attack surface.
Mitigation Recommendations
This vulnerability is fixed in OctoberCMS versions 3.7.14 and 4.1.10. Users should upgrade to these or later versions to remediate the issue. Until patched, restrict editor settings permissions strictly to fully trusted administrators to reduce the risk of exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-27T19:35:20.530Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69df733482d89c981ff25cd7
Added to database: 4/15/2026, 11:15:00 AM
Last enriched: 4/22/2026, 11:12:25 PM
Last updated: 6/5/2026, 2:19:29 PM
Views: 100
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.