October CMS has Stored XSS in Backend Editor Markup Classes
Moderate severity
GitHub Reviewed
Published
Apr 14, 2026
in
octobercms/october
•
Updated Apr 24, 2026
Package
Affected versions
>= 4.0.0, <= 4.1.9
<= 3.7.13
Patched versions
4.1.10
3.7.14
Description
Published by the National Vulnerability Database
Apr 14, 2026
Published to the GitHub Advisory Database
Apr 14, 2026
Reviewed
Apr 14, 2026
Last updated
Apr 24, 2026
A stored cross-site scripting (XSS) vulnerability was identified in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor.
Impact
Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
Workarounds
If upgrading immediately is not possible:
References
References