October CMS Has Stored XSS In Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

CVE-2026-24906

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

CVE-2020-4061

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

CVE-2020-4061

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

Design/Logic Flaw

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

CVE-2020-4061 Cross-site Scripting in OctoberPotential self-XSS when pasting content from malicious websites

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467...

CVE-2020-4061

CVE-2020-4061 affects October CMS’s Froala Rich Editor. Versions 1.0.319 through before 1.0.467 allow self-XSS when pasting content from malicious sites. The issue appears in the clipboard handling of the editor and has been fixed in 1.0.467. Remediation is to upgrade to 1.0.467 or apply the prov...

Cross-site Scripting in October

Impact Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. Patches Issue has been patched in Build 467 v1.0.467. Workarounds Apply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your...

Vanilla: Hidden Stored XSS in nested post embeds

Summary: Comments can be crafted in a way that when quoted will trigger a hidden stored XSS payload. Requires initial user interaction. Description: When quoting a comment, an attacker can edit the insert embed-external data url field to contain a string which when parsed, can result in the...

Vanilla: Stored XSS in embedded posts containing images

Summary: Embedded posts containing images can be maliciously crafted to insert Javascript code to run on page load. Description: Steps to reproduce: 1. Ensure you are logged into an account no special permissions are needed 2. Navigate to any page with the richEditor component e.g. any forum post...