CVE-2026-27937 - Vulnerability Details - OpenCVE

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Octobercms	October

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Octobercms	October

References

Link	Providers
https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf

History

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Octobercms Octobercms october
Vendors & Products		Octobercms Octobercms october

Tue, 21 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.
Title		October: Reflected XSS via DataTable Form Widget
Weaknesses		CWE-79
References		https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-21T16:17:06.973Z

Updated: 2026-04-21T20:37:33.620Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27937

Vulnrichment

Updated: 2026-04-21T20:27:42.669Z

NVD

Status : Received

Published: 2026-04-21T17:16:35.900

Modified: 2026-04-21T17:16:35.900

Link: CVE-2026-27937

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27937", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.689Z", "datePublished": "2026-04-21T16:17:06.973Z", "dateUpdated": "2026-04-21T20:37:33.620Z"}, "containers": {"cna": {"title": "October: Reflected XSS via DataTable Form Widget", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf"}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"version": ">= 4.0.0, < 4.1.16", "status": "affected"}, {"version": "< 3.7.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:17:06.973Z"}, "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16."}], "source": {"advisory": "GHSA-jj38-h5w5-mvpf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:27:38.111770Z", "id": "CVE-2026-27937", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:37:33.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:27:38.111770Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:27:42.669Z"}}], "cna": {"title": "October: Reflected XSS via DataTable Form Widget", "source": {"advisory": "GHSA-jj38-h5w5-mvpf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.1.16"}, {"status": "affected", "version": "< 3.7.16"}]}], "references": [{"url": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf", "name": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:17:06.973Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27937", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:37:33.620Z", "dateReserved": "2026-02-25T03:11:36.689Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:17:06.973Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.1.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "october", "source": "cna", "vendor": "octobercms"}, "product": "october", "vendor": "octobercms"}], "analysis": {"en": {"generated_at": "2026-04-21T22:41:48.546191+00:00", "value": {"mitigation_remediation": ["Upgrade October CMS to version 3.7.16 or newer 4.1.16, which removes the reflected XSS flaw.", "If an immediate upgrade is not possible, enforce proper output encoding or sanitize all query parameters that are rendered in the admin interface to prevent script injection.", "As a temporary measure, disable or remove the DataTable widget from all backend pages until a patch is applied."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting in the backend DataTable widget"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Octobercms October CMS versions prior to 3.7.16 for the 3.x line and prior to 4.1.16 for the 4.x line. The affected product is listed as octobercms:october.", "description_and_impact": "A reflected Cross\u2011Site Scripting flaw exists in the backend DataTable widget of October CMS where a query parameter is rendered without proper output escaping. An attacker who can craft a URL to the admin interface can trigger the injection, causing arbitrary client\u2011side script to run in the context of users who access the page. This may lead to session theft, cookie theft, defacement, or the delivery of malicious payloads to administrators.", "risk_and_exploitability": "The CVSS score is 3.1, indicating a low severity impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. However, the flaw requires the attacker to target the backend, implying that it is exploitable only if an attacker can gain access to an admin user\u2019s session or trick an administrator into visiting the crafted link. The risk is therefore moderate in environments where the backend is exposed to untrusted users but could be higher if administrators frequently open links from untrusted sources."}}}}, "created": "2026-04-21T17:30:37.394382+00:00", "updated": "2026-04-21T22:45:16.062516+00:00", "vendors": ["octobercms", "octobercms$PRODUCT$october"]}