October Rain vulnerabilities

6 known vulnerabilities affecting october/rain.

Total CVEs

6

CISA KEV

0

Public exploits

1

Exploited in wild

0

Severity breakdown

CRITICAL1MEDIUM5

Vulnerabilities

Page 1 of 1

CVE-2026-22692MEDIUM≥ 4.0.0, < 4.1.5≥ 0, < 3.7.132026-04-14

CVE-2026-22692 [MEDIUM] CWE-284 October Rain has a Twig Sandbox Bypass via Collection Methods October Rain has a Twig Sandbox Bypass via Collection Methods A sandbox bypass vulnerability was identified in the optional Twig safe mode feature (`CMS_SAFE_MODE`). Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. ### Impact - Bypass of Twig sandbox restrictions - Only affects installa

CVE-2026-25133MEDIUM≥ 4.0.0, < 4.1.10≥ 0, < 3.7.142026-04-14

CVE-2026-25133 [MEDIUM] CWE-79 October Rain has Stored XSS via SVG Filter Bypass October Rain has Stored XSS via SVG Filter Bypass A stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip `on*` event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries. ### Impact - Stored XSS via malicious SVG files uploaded through the Media Manager - Could allow privilege

CVE-2026-25125MEDIUM≥ 4.0.0, < 4.1.10≥ 0, < 3.7.142026-04-14

CVE-2026-25125 [MEDIUM] CWE-200 October Rain has Environment Variable Exfiltration via INI Parser Interpolation October Rain has Environment Variable Exfiltration via INI Parser Interpolation A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's `parse_ini_string()` function supports `${}` syntax for environment variable interpolation. Attackers with Editor access could inject `${APP_KEY}`, `${DB_PASSWORD}`, or similar patterns into CMS page setting

CVE-2017-15284MEDIUMPoC≥ 0, < 1.0.4262022-05-13

CVE-2017-15284 [MEDIUM] CWE-79 OctoberCMS Cross-Site Scripting OctoberCMS Cross-Site Scripting Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

CVE-2021-3311CRITICALCVSS 9.8≥ 0, < 1.0.472≥ 1.1.0, < 1.1.22021-02-10

CVE-2021-3311 [CRITICAL] CWE-613 October CMS Session ID not invalidated after logout October CMS Session ID not invalidated after logout ### Impact When logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases,

CVE-2020-15128MEDIUM≥ 1.0.319, < 1.0.4682020-08-05

CVE-2020-15128 [MEDIUM] CWE-327 Reliance on Cookies without validation in OctoberCMS Reliance on Cookies without validation in OctoberCMS ### Impact Previously encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for u