CVE-2026-27937
LOW3.1EPSS 0.04%October CMS: Reflected XSS via DataTable Form Widget
Description
A reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. ### Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed by the attacker - Requires an authenticated backend user to visit a crafted URL - No direct access is gained without social engineering ### Patches The vulnerability has been patched in v3.7.16 and v4.1.16. The affected parameter is now properly escaped. All users are encouraged to upgrade to the latest patched version. ### Workarounds - Use a non-default backend URL prefix (recommended as standard practice) - Implement a Content Security Policy (CSP) for backend pages
Affected packages (1)
- Packagist/october/systemfrom 0, < 3.7.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |