Platform
php
Component
octobercms
Fixed in
4.0.1
3.7.17
3.7.16
CVE-2026-27937 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in the backend DataTable widget of October CMS. This vulnerability allows an attacker to inject malicious scripts if a query parameter is not properly output escaped. The impact is limited to reflected XSS, requiring an authenticated backend user to visit a crafted URL and knowledge of the backend URL prefix. Patches are available in versions 3.7.16 and 4.1.16.
The vulnerability lies in the improper output escaping of a query parameter within the backend DataTable widget. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript code within the context of the affected user's session. While the vulnerability is classified as reflected XSS, meaning the payload is not stored persistently, it still poses a significant risk. An attacker could potentially steal session cookies, redirect users to malicious websites, or deface the backend interface. The attack requires an authenticated backend user to visit a specially crafted URL, and the attacker must know or be able to guess the backend URL prefix, which is customizable.
CVE-2026-27937 was publicly disclosed on 2026-04-21. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's CVSS score is LOW, indicating a relatively low probability of exploitation in the wild. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27937 is to upgrade to a patched version of October CMS. Version 4.1.16 and 3.7.16 contain the necessary fixes to properly escape the vulnerable query parameter. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious query parameters. Additionally, restrict access to the backend interface and enforce strong password policies to minimize the risk of unauthorized access. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via the vulnerable query parameter and verifying that it is properly sanitized.
Update October CMS to version 3.7.16 or higher, or to version 4.1.16 or higher. This update fixes the XSS vulnerability by properly escaping query parameters in the DataTable widget.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27937 is a reflected Cross-Site Scripting (XSS) vulnerability affecting the backend DataTable widget in October CMS, allowing attackers to inject scripts via a crafted URL.
You are affected if you are running October CMS versions 4.0.0 through 4.1.15. Upgrade to 4.1.16 or 3.7.16 to mitigate the risk.
Upgrade to October CMS version 4.1.16 or 3.7.16. Consider implementing a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2026-27937 at this time, but it's crucial to apply the patch to prevent potential future attacks.
Refer to the official October CMS security advisory for detailed information and updates: [https://octobercms.com/support/security-advisories](https://octobercms.com/support/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.