Plateforme
php
Composant
octobercms
Corrigé dans
4.0.1
3.7.17
3.7.16
CVE-2026-27937 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in the backend DataTable widget of October CMS. This vulnerability allows an attacker to inject malicious scripts if a query parameter is not properly output escaped. The impact is limited to reflected XSS, requiring an authenticated backend user to visit a crafted URL and knowledge of the backend URL prefix. Patches are available in versions 3.7.16 and 4.1.16.
The vulnerability lies in the improper output escaping of a query parameter within the backend DataTable widget. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript code within the context of the affected user's session. While the vulnerability is classified as reflected XSS, meaning the payload is not stored persistently, it still poses a significant risk. An attacker could potentially steal session cookies, redirect users to malicious websites, or deface the backend interface. The attack requires an authenticated backend user to visit a specially crafted URL, and the attacker must know or be able to guess the backend URL prefix, which is customizable.
CVE-2026-27937 was publicly disclosed on 2026-04-21. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's CVSS score is LOW, indicating a relatively low probability of exploitation in the wild. It is not currently listed on the CISA KEV catalog.
Organizations using October CMS versions 4.0.0 through 4.1.15 are at risk. Specifically, those with custom backend URL prefixes or those who allow user-supplied input to influence the DataTable queries are more vulnerable. Shared hosting environments running October CMS should also be prioritized for patching.
• php: Examine October CMS application logs for unusual URL parameters or JavaScript execution attempts.
grep -i 'javascript:' /path/to/october/cms/logs/error.log• generic web: Monitor access logs for requests containing suspicious query parameters in the DataTable URL.
curl -I https://your-october-cms-site.com/backend/october/manage/settings/datatables?param=javascript:alert('XSS')• generic web: Check response headers for signs of JavaScript injection.
curl -I https://your-october-cms-site.com/backend/october/manage/settings/datatables?param=javascript:alert('XSS') | grep Content-Typedisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-27937 is to upgrade to a patched version of October CMS. Version 4.1.16 and 3.7.16 contain the necessary fixes to properly escape the vulnerable query parameter. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious query parameters. Additionally, restrict access to the backend interface and enforce strong password policies to minimize the risk of unauthorized access. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via the vulnerable query parameter and verifying that it is properly sanitized.
Mettez à jour October CMS à la version 3.7.16 ou supérieure, ou à la version 4.1.16 ou supérieure. Cette mise à jour corrige la vulnérabilité XSS en échappant correctement les paramètres de requête dans le widget DataTable.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-27937 is a reflected Cross-Site Scripting (XSS) vulnerability affecting the backend DataTable widget in October CMS, allowing attackers to inject scripts via a crafted URL.
You are affected if you are running October CMS versions 4.0.0 through 4.1.15. Upgrade to 4.1.16 or 3.7.16 to mitigate the risk.
Upgrade to October CMS version 4.1.16 or 3.7.16. Consider implementing a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2026-27937 at this time, but it's crucial to apply the patch to prevent potential future attacks.
Refer to the official October CMS security advisory for detailed information and updates: [https://octobercms.com/support/security-advisories](https://octobercms.com/support/security-advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.