October CMS Has Stored XSS In Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

GHSA-6QMH-J78V-FFP7 October CMS has Stored XSS in Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

EUVD-2026-22659

October CMS has Stored XSS in Backend Editor Markup Classes...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the processing of the Markup Classes fields within the backend editor settings. An attacker can execute arbitrary JavaScript code in the context of users who open a RichEditor by injecting malicious values th...

October CMS has Stored XSS in Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

CVE-2026-24906

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

CVE-2026-24906

October CMS versions 3.7.0–3.7.13 and 4.1.0–4.1.9 are affected by a Stored XSS in Backend Editor Settings. The vulnerability stems from unsanitized input in the Markup Classes field used for paragraph, inline, and table styles, which could render JavaScript in Froala editor dropdowns when a user ...

CVE-2026-24906 October CMS has Stored XSS in its Backend Editor Markup Classes

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

CVE-2026-24906 October CMS has Stored XSS in its Backend Editor Markup Classes

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

CVE-2026-24906

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

PT-2026-32726

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

October 跨站脚本漏洞

October is an open-source content management system CMS and online platform developed by October. Versions prior to October 3.7.14 and 4.1.10 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper handling of marker class field inputs in the backend editor...

CVE-2025-61674 October CMS Vulnerable to Stored XSS via Editor and Branding Styles

October is a Content Management System CMS and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting XSS vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the styleshee...

Object Injection

ezsystems/ezpublish-legacy is vulnerable to Object Injection. The vulnerability due to in the Legacy Shop module which allows an attacker with backend editor privileges to manipulate the discount rule settings...

Ez Platform Object Injection in legacy shop module

This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission...

CVE-2018-7465

An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the backend of the plugin can be closed by simply adding to the value and saving the product/config. By editing back the product/config, the editor's browser will execute everything after the , leading to a possible XSS...

Phpems V3.1 Backend Editor Has Arbitrary File Upload Vulnerability

PHPEMS PHP Exam Management System online mock exam system based on PHP + Mysql development, is a support for a variety of question types and presentation of PHP online mock exam system. Phpems V3.1 version of the backend editor exists arbitrary file upload vulnerability, due to the backend editor...

Cross-Site Scripting in extension Gridelements (gridelements)

It has been discovered that the extension "gridelements" gridelements is susceptible to Cross-Site Scripting Release Date: February 17, 2015 Component Type: Third party extension. This extension is not a part of the TYPO3 default installation. Affected Versions: gridelements: Versions 3.0.0, 2.1....

TYPO3 < 4.5.4 Backend Editor Information Disclosure Vulnerability (TYPO3-CORE-SA-2011-001)

TYPO3 is prone to an authorization bypass vulnerability. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:typo3:typo3";...

W78 CMS enterprise website management system V2. 8 0day-vulnerability warning-the black bar safety net

Mainly backend editor upload vulnerability. With IIS6. 0 can be uploaded directly to get the shell form action="http://127.0.0.1:99/admin/w78eWebEditor/asp/upload.asp?action=save&type=image&style=popup&cusdir=d. asp" method=post name=myform enctype="multipart/form-data" input type=file...