CVE-2025-61676 — Cross-site Scripting in October

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 84.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October System

Timeline

Latest updateJan 9

PublishedJan 10

Description

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended context, allowing arbitrary script execution across backend pages for all users. T…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

▶Packagistoctober/system4.0.0 — 4.0.12+1

▶NVDoctobercms/october4.0.0 — 4.0.12+1

▶CVEListV5octobercms/october>= 4.0.0, < 4.0.12

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

October CMS Vulnerable to Stored XSS via Branding Styles↗2026-01-09

▶

OSV

October CMS Vulnerable to Stored XSS via Branding Styles↗2026-01-09

▶

🕵️Threat Intelligence

Wiz

CVE-2025-61676 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶