XSS in Octobercms October

CVE-2026-24907

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML con…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (11.3th percentile) — read the EPSS interpretation.