GHSA-jj38-h5w5-mvpf (CVE-2026-27937)

Details

A reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping.

Impact

Reflected XSS only, no stored/persistent component
The backend URL prefix is customizable and must be known or guessed by the attacker
Requires an authenticated backend user to visit a crafted URL
No direct access is gained without social engineering

Patches

The vulnerability has been patched in v3.7.16 and v4.1.16. The affected parameter is now properly escaped. All users are encouraged to upgrade to the latest patched version.

Workarounds

Use a non-default backend URL prefix (recommended as standard practice)
Implement a Content Security Policy (CSP) for backend pages

Affected Packages

october/system

Packagist

Fixed in:

3.7.16

october/system

Packagist

References

ADVISORY

https://github.com/advisories/GHSA-jj38-h5w5-mvpf

PACKAGE

https://github.com/octobercms/october

WEB

https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf