CVE-2026-27937
October CMS: Reflected XSS via DataTable Form Widget
Description
A reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. ### Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed by the attacker - Requires an authenticated backend user to visit a crafted URL - No direct access is gained without social engineering ### Patches The vulnerability has been patched in v3.7.16 and v4.1.16. The affected parameter is now properly escaped. All users are encouraged to upgrade to the latest patched version. ### Workarounds - Use a non-default backend URL prefix (recommended as standard practice) - Implement a Content Security Policy (CSP) for backend pages
How to fix CVE-2026-27937
To remediate CVE-2026-27937, upgrade the affected package to a fixed version below.
- —upgrade to 3.7.16 or later
Is CVE-2026-27937 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.7.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |