XSS in Octobercms October

CVE-2026-24906

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styl…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (1.9th percentile) — read the EPSS interpretation.