CVE-2026-24906
October CMS has Stored XSS in Backend Editor Markup Classes
Description
A stored cross-site scripting (XSS) vulnerability was identified in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. ### Impact - Stored XSS via editor settings rendered in RichEditor dropdowns - Could allow privilege escalation if a superuser opens any RichEditor (e.g., editing a blog post) - Requires authenticated backend access with editor settings permissions - Triggers on routine content editing operations ### Patches The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version. ### Workarounds If upgrading immediately is not possible: - Restrict editor settings permissions to fully trusted administrators only ### References - Reported by [Chris Alupului](https://github.com/neosprings)
How to fix CVE-2026-24906
To remediate CVE-2026-24906, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.10 or later
Is CVE-2026-24906 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.1.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |