CVE-2026-25133Cross-site Scripting in October

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 96.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Octobercms OctoberOctober Rain
Timeline
PublishedApr 14

Description

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to pr

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

Packagistoctober/rain4.0.04.1.10+1
CVEListV5octobercms/october< 3.7.14+1

🔴Vulnerability Details

2
VulDB
October LMS up to 3.7.13/4.1.9 SVG File Parser cross site scripting (GHSA-gcqv-f29m-67gr)2026-04-14
GHSA
October Rain has Stored XSS via SVG Filter Bypass2026-04-14