Main Vulnerability Database Vulnerabilities #VU126641

Cross-site scripting in October CMS - CVE-2026-27937

Published: April 21, 2026

Vulnerability identifier: #VU126641

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-27937

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OctoberCMS

Affected software:
October CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the backend DataTable widget when rendering a query parameter in a backend URL. A remote attacker can send a specially crafted URL to execute arbitrary script in the victim's browser.

User interaction is required, and the attacker must know or guess the customized backend URL prefix.

How to mitigate CVE-2026-27937

Install security update from vendor's website.

Sources

https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf

Cross-site scripting in October CMS - CVE-2026-27937

Detailed vulnerability description

How to mitigate CVE-2026-27937

Sources

Please verify you're human