CVE-2026-24907

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10

Description A stored cross-site scripting (XSS) issue exists in the Event Log mail preview feature. HTML content in logged mail messages is rendered in an iframe without proper sandboxing, which allows JavaScript execution in the browser context of the viewer. This can lead to privilege escalation if a superuser views a malicious log entry. Exploitation requires authenticated backend access with mail template editing permissions and a superuser to view the specific Event Log entry.

Recommendations Update to version 3.7.14. Update to version 4.1.10. Restrict mail template editing permissions to fully trusted administrators only. Restrict Event Log viewing permissions to minimize exposure.