October CMS: Reflected XSS via DataTable Form Widget
Package
Affected versions
< 3.7.16
>= 4.0.0, < 4.1.16
Patched versions
3.7.16
Description
Published to the GitHub Advisory Database
Apr 21, 2026
Reviewed
Apr 21, 2026
Published by the National Vulnerability Database
Apr 21, 2026
Last updated
Apr 24, 2026
A reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping.
Impact
Patches
The vulnerability has been patched in v3.7.16 and v4.1.16. The affected parameter is now properly escaped. All users are encouraged to upgrade to the latest patched version.
Workarounds
References