GHSA-6QMH-J78V-FFP7 October CMS has Stored XSS in Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

CVE-2026-24906 October CMS has Stored XSS in its Backend Editor Markup Classes

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

PT-2026-32726

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

CVE-2020-4061

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

Malicious code in shopee-rich-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 72c066c9fe65fcf154a904316f7b5759935a90c5a3f5d32b3d9778862f397037 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-11093 Malicious code in shopee-rich-editor (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 72c066c9fe65fcf154a904316f7b5759935a90c5a3f5d32b3d9778862f397037 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Vanilla: Stored XSS in Rich editor via Embed datetime

Summary: Rich embed posts can contain javascript URIs which when clicked will trigger javascript code. Description: Registered users can post content in forum posts, private messages and activity posts containing Rich embeds where the date/time of the embedded post when clicked, will trigger a...