CVE-2026-24907: October CMS has Stored XSS in Event Log Mail Preview

April 14, 2026 (updated April 24, 2026)

A stored cross-site scripting (XSS) vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer’s browser context.

References

github.com/advisories/GHSA-j4j5-9x6g-rgxc
github.com/octobercms/october
github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc
nvd.nist.gov/vuln/detail/CVE-2026-24907

Code Behaviors & Features

Detect and mitigate CVE-2026-24907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →