October CMS, Stored XSS, CVE-2026-24907 (Medium)

Listen to this Post

How CVE-2026-24907 Works

  1. October CMS versions prior to 3.7.14 and 4.1.10 contain a stored XSS flaw.
  2. The issue exists in the Event Log mail preview feature.
  3. An attacker with mail template editing permissions can inject malicious JavaScript.
  4. The injected payload is stored in a mail template’s HTML content.
  5. When a mail message is logged, the raw HTML content is saved in the database.
  6. A privileged user (e.g., superuser) later views that mail entry in the Event Log.
  7. The backend renders the mail preview inside an iframe.
  8. The iframe lacks proper sandboxing attributes (e.g., sandbox=”allow-same-origin”).
  9. Without sandboxing, the iframe can execute JavaScript in the viewer’s context.
  10. The JavaScript can steal session tokens, perform actions, or escalate privileges.
  11. The vulnerability is triggered automatically when the log entry is displayed.
  12. No additional user interaction is required beyond viewing the log.
  13. The attacker only needs low‑privileged backend access (mail template editing).
  14. The payload remains persistent until the mail log is cleared.
  15. The vulnerable code resides in the backend’s mail log rendering component.
  16. The fix adds proper iframe sandboxing and output encoding.
  17. Sandboxing restricts the iframe from running scripts or accessing parent windows.
  18. The issue was reported by Chris Alupului and fixed in v3.7.14 / v4.1.10.

19. Workarounds include restricting mail template editing permissions.

  1. The vulnerability has a CVSS v4 base score of 5.1 (Medium).

DailyCVE Form:

Platform: October CMS
Version: 3.7.13/4.1.9
Vulnerability : Stored XSS
Severity: Medium
date: 2026-04-14

Prediction: Update to 4.1.10/3.7.14

What Undercode Say:

Check for vulnerable installations:

composer show october/system | grep "versions"

Verify patch status:

php artisan october:version | grep -E "3.7.[0-9]+|4.[0-9]+.[0-9]+"

Monitor Event Log for suspicious scripts:

grep -r "<script" storage/logs/

Apply fix manually (if patching not possible):

composer require october/system:4.1.10
composer require october/system:3.7.14

Sandbox iframe mitigation test:

curl -k "https://target.com/backend/system/mailpreview" | grep -i "sandbox"

Exploit:

  1. Log in as an authenticated user with mail template editing permissions.
  2. Edit an existing mail template or create a new one.
  3. Insert the following payload into the HTML content:

``

  1. Send a mail using that template so the system logs the mail entry.
  2. Wait for a superuser to view the mail preview in the Event Log.
  3. When the superuser opens the log entry, the JavaScript executes.
  4. The attacker can steal the superuser’s session cookie and impersonate them.

Protection from this CVE

  1. Immediately upgrade to October CMS v3.7.14 or v4.1.10.
  2. Restrict mail template editing permissions to fully trusted administrators only.
  3. Limit Event Log viewing permissions to minimize exposure.
  4. Apply a Web Application Firewall (WAF) rule to block common XSS payloads.
  5. Use Content Security Policy (CSP) to disallow inline scripts.
  6. Sanitize all user‑supplied HTML in mail templates before rendering.

Impact

  • Stored XSS allows persistent injection of malicious scripts.
  • A superuser viewing a compromised log entry can have their session hijacked.
  • Attackers can escalate privileges from low‑level backend access to full admin rights.
  • Sensitive data (e.g., configuration keys, database credentials) can be exposed.
  • The vulnerability can be chained with other flaws to achieve remote code execution.
  • Compliance violations (PCI‑DSS, HIPAA) may occur if user data is leaked.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top