Listen to this Post
How CVE-2026-0414 works:
The vulnerability exists in October CMS backend editor settings, specifically the “Markup Classes” fields (paragraph styles, inline styles, table styles). Input is not sanitized to restrict only valid CSS class name characters (alphanumeric, hyphens, underscores). An attacker with backend access (e.g., editor or admin) can inject malicious JavaScript into these fields using payloads like `”>` or
</style><script>alert(1)</script>. The unsanitized value is stored in the database. When any user (including other admins) opens a RichEditor component (Froala editor), the dropdown menu rendering the markup classes does not escape the stored value. Instead, it directly embeds the attacker’s input into the HTML DOM. As a result, the JavaScript executes in the victim’s browser context, leading to session hijacking, CSRF attacks, or unauthorized actions. The attack is stored (persistent) and triggers each time the editor is loaded. Affected versions: October CMS v3.0.0–3.7.13 and v4.0.0–4.1.9. The issue was patched by adding a sanitization routine that strips any non‑CSS‑class characters and escapes HTML entities before rendering.
dailycve form:
Platform: October CMS
Version: 3.7.13 / 4.1.9
Vulnerability: Stored XSS
Severity: Moderate
date: Apr 14 2026
Prediction: Patch Apr 14 2026
Analytics under heading What Undercode Say:
Check vulnerable version php artisan october:version | grep -E "3.[0-7].(1[0-3]|[0-9])|4.[0-1].([0-8]|9)" Grep for unsanitized markup classes in backend grep -r "markupClasses" plugins//controllers/.php Simulate payload injection via API curl -X POST -H "X-CSRF-TOKEN: $token" \ -d "settings[bash]=<script>alert(1)</script>" \ https://target.com/backend/editor/save
Exploit:
1. Login as editor/administrator.
- Navigate to Backend → Editor Settings → Markup Classes.
3. Inject payload: `”>
4. Save settings.
5. Any user opening RichEditor triggers the payload.
Protection from this CVE:
- Upgrade to October CMS v3.7.14 or v4.1.10 immediately.
- If upgrade not possible, apply input sanitization:
`$value = preg_replace(‘/[^a-zA-Z0-9_\-]/’, ”, $input);`
- Disable RichEditor for untrusted users via backend permissions.
Impact:
- Full account takeover of any admin/editor viewing the editor.
- Theft of session cookies, leading to privilege escalation.
- Defacement or data exfiltration from the backend.
- Persistent compromise across all users until patch applied.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

