CVE-2026-24906

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10

Description A stored Cross-Site Scripting (XSS) issue exists in the Backend Editor Settings. The Markup Classes fields, which are used for paragraph, inline, and table styles, fail to sanitize input for valid CSS class name characters. This allows malicious values to be rendered unsanitized in Froala editor dropdown menus, leading to JavaScript execution when a user opens a RichEditor. This requires authenticated backend access with editor settings permissions and could result in privilege escalation if a superuser opens a RichEditor during routine content editing, such as editing a blog post.

Recommendations Update to version 3.7.14 or newer. Update to version 4.1.10 or newer. Restrict editor settings permissions to fully trusted administrators only.