October CMS up to and including 1.0.431 allows XSS by entering HTML on the Add Posts page.
octobercms october