Stored Cross-Site Scripting Vulnerability in October CMS Event Log Feature
CVE-2026-24907

5.1MEDIUM

Key Information:

Vendor: Octobercms
Status: October
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-24907?

A stored cross-site scripting vulnerability exists in the Event Log mail preview feature of October CMS. This flaw arises when HTML content is rendered in an iframe without adequate sandboxing, which allows for the potential execution of malicious JavaScript in a victim's browser context. This issue affects versions of the software prior to 3.7.14 and 4.1.10. Users are advised to update to these versions to mitigate the risk, and if immediate updates cannot be made, it's recommended to restrict mail template editing and Event Log viewing permissions to trusted administrators only.

Affected Version(s)

october < 3.7.14 < 3.7.14

october >= 4.0.0, < 4.1.10 < 4.0.0, 4.1.10

References

https://github.com/octobercms/october/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Jan 27, 2026

CVE-2026-24907 Data

JSON

Octobercms

What is CVE-2026-24907?

Affected Version(s)

References

CVSS V4

Timeline