CVE-2026-24907
October CMS has Stored XSS in Event Log Mail Preview
Description
A stored cross-site scripting (XSS) vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. ### Impact - Stored XSS via mail template content rendered in Event Log - Could allow privilege escalation if a superuser views a malicious log entry - Requires authenticated backend access with mail template editing permissions - Requires a superuser to view the specific Event Log entry to trigger ### Patches The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version. ### Workarounds If upgrading immediately is not possible: - Restrict mail template editing permissions to fully trusted administrators only - Restrict Event Log viewing permissions to minimize exposure ### References - Reported by [Chris Alupului](https://github.com/neosprings)
How to fix CVE-2026-24907
To remediate CVE-2026-24907, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.10 or later
Is CVE-2026-24907 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.1.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |