CVE-2026-24907: October CMS Stored XSS Vulnerability

CVE-2026-24907 Overview

A stored cross-site scripting (XSS) vulnerability has been identified in October CMS, a popular Content Management System and web platform built on the Laravel framework. The vulnerability exists in the Event Log mail preview feature, where HTML content rendered in mail message logs is displayed in an iframe without proper sandboxing. This allows malicious JavaScript to execute in the browser context of administrators viewing logged mail messages, potentially leading to session hijacking, administrative account compromise, or further attacks against the CMS infrastructure.

Critical Impact

Authenticated attackers with mail template editing access can inject persistent malicious scripts that execute when administrators view logged mail messages, potentially compromising administrative sessions and CMS integrity.

Affected Products

• October CMS versions prior to 3.7.14
• October CMS versions prior to 4.1.10

Discovery Timeline

• 2026-04-14 - CVE CVE-2026-24907 published to NVD
• 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-24907

Vulnerability Analysis

This stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) affects the mail logging functionality within October CMS's administrative backend. The core issue stems from the Event Log feature's mail preview component, which renders logged email content within an iframe element that lacks appropriate security restrictions.

When administrators review mail logs through the backend interface, the system retrieves stored email content including HTML markup and renders it directly in the browser. The absence of iframe sandboxing attributes means that any JavaScript embedded in the mail content executes with full access to the parent page's context. This creates a persistent attack vector where malicious payloads stored in mail logs can target any administrator who subsequently views those logs.

The attack surface requires authenticated access to mail template editing functionality, making it a moderate-severity issue that primarily affects multi-admin environments or scenarios where lower-privileged users have mail template permissions.

Root Cause

The root cause is insufficient output encoding and missing iframe sandbox restrictions in the Event Log mail preview component. When rendering HTML mail content for administrative review, the application fails to implement proper content isolation through iframe sandboxing (e.g., sandbox attribute) and does not sanitize or escape potentially dangerous HTML elements and JavaScript content before display.

Attack Vector

The vulnerability is exploited through a network-based attack requiring authenticated access and user interaction. An attacker with mail template editing privileges crafts a malicious email template containing embedded JavaScript payloads. When the mail system logs messages generated from this template, the malicious content is stored in the Event Log. Subsequently, when an administrator navigates to the Event Log and previews the logged mail message, the JavaScript executes in their browser session.

This attack chain enables session token theft, arbitrary actions performed as the viewing administrator, or injection of additional malicious content into the CMS backend. The stored nature of this XSS means the payload persists and can affect multiple administrators over time.

Detection Methods for CVE-2026-24907

Indicators of Compromise

• Unusual JavaScript content within mail templates, particularly <script> tags or event handler attributes (onclick, onerror, etc.)
• Suspicious modifications to mail templates by users with limited administrative roles
• Event Log entries containing encoded or obfuscated JavaScript payloads
• Browser console errors or unexpected network requests when viewing Event Log mail previews

Detection Strategies

• Implement Content Security Policy (CSP) headers that restrict inline script execution in administrative interfaces
• Monitor mail template changes through version control or audit logging for unauthorized script additions
• Deploy Web Application Firewall (WAF) rules to detect XSS payload patterns in mail template submissions
• Review Event Log access patterns for anomalous viewing activity that might indicate reconnaissance

Monitoring Recommendations

• Enable detailed audit logging for all mail template modifications in October CMS
• Configure alerts for mail templates containing potentially dangerous HTML elements or JavaScript
• Monitor administrator session activity following Event Log access for signs of session hijacking
• Implement browser-based XSS detection tools in administrative environments

How to Mitigate CVE-2026-24907

Immediate Actions Required

• Upgrade October CMS to version 3.7.14 or later (for 3.x branch) or 4.1.10 or later (for 4.x branch)
• Restrict mail template editing permissions to fully trusted administrators only until patching is complete
• Limit Event Log viewing permissions to minimize exposure to potentially malicious stored content
• Review existing mail templates for suspicious JavaScript content or encoded payloads

Patch Information

October CMS has released patched versions that implement proper iframe sandboxing for the Event Log mail preview feature. The fixes are available in versions 3.7.14 and 4.1.10. Administrators should update through Composer or the October CMS update mechanism. For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

• Restrict mail template editing permissions to fully trusted administrators only to prevent malicious template creation
• Restrict Event Log viewing permissions to minimize the number of users potentially exposed to stored XSS payloads
• Implement network-level filtering to block common XSS patterns in requests to the mail template editing endpoints
• Consider temporarily disabling the mail preview feature in Event Logs if business requirements permit

# Verify October CMS version after patching
php artisan october:version

# Review users with mail template permissions
php artisan tinker --execute="Backend\Models\User::whereHas('role', fn(\$q) => \$q->whereHas('permissions', fn(\$p) => \$p->where('code', 'like', 'system.mail%')))->pluck('login')"