GHSA-JJ38-H5W5-MVPF
Vulnerability from github – Published: 2026-04-21 17:15 – Updated: 2026-04-21 17:15
VLAI?
Summary
October CMS: Reflected XSS via DataTable Form Widget
Details
A reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping.
Impact
- Reflected XSS only, no stored/persistent component
- The backend URL prefix is customizable and must be known or guessed by the attacker
- Requires an authenticated backend user to visit a crafted URL
- No direct access is gained without social engineering
Patches
The vulnerability has been patched in v3.7.16 and v4.1.16. The affected parameter is now properly escaped. All users are encouraged to upgrade to the latest patched version.
Workarounds
- Use a non-default backend URL prefix (recommended as standard practice)
- Implement a Content Security Policy (CSP) for backend pages
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "october/system"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 4.1.16"
},
"package": {
"ecosystem": "Packagist",
"name": "october/system"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27937"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T17:15:21Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "A reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping.\n\n### Impact\n- Reflected XSS only, no stored/persistent component\n- The backend URL prefix is customizable and must be known or guessed by the attacker\n- Requires an authenticated backend user to visit a crafted URL\n- No direct access is gained without social engineering\n\n### Patches\nThe vulnerability has been patched in v3.7.16 and v4.1.16. The affected parameter is now properly escaped. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\n- Use a non-default backend URL prefix (recommended as standard practice)\n- Implement a Content Security Policy (CSP) for backend pages",
"id": "GHSA-jj38-h5w5-mvpf",
"modified": "2026-04-21T17:15:21Z",
"published": "2026-04-21T17:15:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf"
},
{
"type": "PACKAGE",
"url": "https://github.com/octobercms/october"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "October CMS: Reflected XSS via DataTable Form Widget"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…