CVE-2026-24906: October CMS has Stored XSS in Backend Editor Markup Classes

April 14, 2026 (updated April 24, 2026)

A stored cross-site scripting (XSS) vulnerability was identified in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor.

References

github.com/advisories/GHSA-6qmh-j78v-ffp7
github.com/octobercms/october
github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7
nvd.nist.gov/vuln/detail/CVE-2026-24906

Code Behaviors & Features

Detect and mitigate CVE-2026-24906 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →