Low severity3.1NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-27937

Description

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in October CMS's backend DataTable widget allows an attacker to execute arbitrary JavaScript via a crafted query parameter.

Vulnerability

Overview

CVE-2026-27937 is a reflected Cross-Site Scripting (XSS) vulnerability in the October CMS backend DataTable widget. The flaw arises because a query parameter is rendered in the response without proper output escaping, allowing an attacker to inject arbitrary HTML and JavaScript into the page [1][3].

Exploitation

Prerequisites

Exploitation requires an authenticated backend user to visit a specially crafted URL. The attacker must know or guess the customizable backend URL prefix, and no direct access to the system is possible without social engineering [3]. The vulnerability is reflected only, meaning the malicious payload is not stored on the server.

Impact

A successful attack enables the attacker to execute arbitrary JavaScript in the context of the victim's backend session. This could lead to actions such as session hijacking, defacement, or theft of sensitive information, but only if the victim interacts with the crafted link [3].

Mitigation

The vulnerability is fixed in October CMS versions 3.7.16 and 4.1.16, where the affected parameter is now properly escaped [1][3]. As workarounds include using a non-default backend URL prefix and implementing a Content Security Policy (CSP) for backend pages [3].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
october/systemPackagist	< 3.7.16	3.7.16
october/systemPackagist	>= 4.0.0	—

Affected products

Octobercms/Octoberllm-fuzzy
Range: <3.7.16, <4.1.16

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-jj38-h5w5-mvpfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27937ghsaADVISORY
github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpfnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.202
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000