{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27937", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.689Z", "datePublished": "2026-04-21T16:17:06.973Z", "dateUpdated": "2026-04-21T20:37:33.620Z"}, "containers": {"cna": {"title": "October: Reflected XSS via DataTable Form Widget", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf"}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"version": ">= 4.0.0, < 4.1.16", "status": "affected"}, {"version": "< 3.7.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:17:06.973Z"}, "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16."}], "source": {"advisory": "GHSA-jj38-h5w5-mvpf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:27:38.111770Z", "id": "CVE-2026-27937", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:37:33.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:27:38.111770Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:27:42.669Z"}}], "cna": {"title": "October: Reflected XSS via DataTable Form Widget", "source": {"advisory": "GHSA-jj38-h5w5-mvpf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.1.16"}, {"status": "affected", "version": "< 3.7.16"}]}], "references": [{"url": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf", "name": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:17:06.973Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27937", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:37:33.620Z", "dateReserved": "2026-02-25T03:11:36.689Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:17:06.973Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16."}], "id": "CVE-2026-27937", "lastModified": "2026-04-22T21:08:48.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:35.900", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.1.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "october", "source": "cna", "vendor": "octobercms"}, "product": "october", "vendor": "octobercms"}], "analysis": {"en": {"generated_at": "2026-04-21T22:41:48.546191+00:00", "value": {"mitigation_remediation": ["Upgrade October CMS to version 3.7.16 or newer 4.1.16, which removes the reflected XSS flaw.", "If an immediate upgrade is not possible, enforce proper output encoding or sanitize all query parameters that are rendered in the admin interface to prevent script injection.", "As a temporary measure, disable or remove the DataTable widget from all backend pages until a patch is applied."], "summary": {"action": "Patch", "impact": "Reflected Cross\u2011Site Scripting in the backend DataTable widget"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Octobercms October CMS versions prior to 3.7.16 for the 3.x line and prior to 4.1.16 for the 4.x line. The affected product is listed as octobercms:october.", "description_and_impact": "A reflected Cross\u2011Site Scripting flaw exists in the backend DataTable widget of October CMS where a query parameter is rendered without proper output escaping. An attacker who can craft a URL to the admin interface can trigger the injection, causing arbitrary client\u2011side script to run in the context of users who access the page. This may lead to session theft, cookie theft, defacement, or the delivery of malicious payloads to administrators.", "risk_and_exploitability": "The CVSS score is 3.1, indicating a low severity impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. However, the flaw requires the attacker to target the backend, implying that it is exploitable only if an attacker can gain access to an admin user\u2019s session or trick an administrator into visiting the crafted link. The risk is therefore moderate in environments where the backend is exposed to untrusted users but could be higher if administrators frequently open links from untrusted sources."}}}}, "created": "2026-04-21T17:30:37.394382+00:00", "updated": "2026-04-21T22:45:16.062516+00:00", "vendors": ["octobercms", "octobercms$PRODUCT$october"]}