CVE-2026-25133
published 2026-04-14CVE-2026-25133: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in…
PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.22%
12.0th percentile
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | rain | >= 0 < 3.7.14 | 3.7.14 |
| october | rain | >= 4.0.0 < 4.1.10 | 4.1.10 |
| octobercms | october | < 3.7.14 | 3.7.14 |
| octobercms | october | <= 3.7.13 | — |
| octobercms | october | — | — |
| octobercms | october | 4.0.0 – 4.1.9 | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.04.8MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
October LMS up to 3.7.13/4.1.9 SVG File Parser cross site scripting (GHSA-gcqv-f29m-67gr)
vuldb·2026-04-14·CVSS 4.8
CVE-2026-25133 [MEDIUM] October LMS up to 3.7.13/4.1.9 SVG File Parser cross site scripting (GHSA-gcqv-f29m-67gr)
A vulnerability, which was classified as problematic, has been found in October LMS up to 3.7.13/4.1.9. This issue affects some unknown processing of the component SVG File Parser. Performing a manipulation results in cross site scripting.
This vulnerability was named CVE-2026-25133. The attack may be initiated remotely. There is no available exploit.
It is advisable to upgrade the affected component.
GHSA
October Rain has Stored XSS via SVG Filter Bypass
ghsa·2026-04-14
CVE-2026-25133 [MEDIUM] CWE-79 October Rain has Stored XSS via SVG Filter Bypass
October Rain has Stored XSS via SVG Filter Bypass
A stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip `on*` event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries.
### Impact
- Stored XSS via malicious SVG files uploaded through the Media Manager
- Could allow privilege escalation if a superuser views or embeds the malicious SVG
- Requires authenticated backend access with media upload permissions (`media.library.create`)
- SVG must be viewed or embedded in a page to trigger
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading im
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-14
Published