October System vulnerabilities

CVE-2026-26067 [MEDIUM] CWE-200 October CMS has Safe Mode Bypass via CSS Preprocessor Compilers October CMS has Safe Mode Bypass via CSS Preprocessor Compilers A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft `.less`, `.sass`, or `.scss` files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with `cms.safe_mode` enabled. ### Im

CVE-2026-29179 [LOW] CWE-863 October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations Fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted `editor` access but had `editor.cms_assets` or `editor.tailor_blueprints` specifically withheld, an uncommon per

CVE-2026-27937 [LOW] CWE-79 October CMS: Reflected XSS via DataTable Form Widget October CMS: Reflected XSS via DataTable Form Widget A reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. ### Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed by the attacker - Requires an authenticated backend user to v

CVE-2026-24907 [MEDIUM] CWE-79 October CMS has Stored XSS in Event Log Mail Preview October CMS has Stored XSS in Event Log Mail Preview A stored cross-site scripting (XSS) vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. ### Impact - Stored XSS via mail template content rendered in Event Log - Could allow privile

CVE-2026-24906 [MEDIUM] CWE-79 October CMS has Stored XSS in Backend Editor Markup Classes October CMS has Stored XSS in Backend Editor Markup Classes A stored cross-site scripting (XSS) vulnerability was identified in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript executi

CVE-2025-61676 [MEDIUM] CWE-79 October CMS Vulnerable to Stored XSS via Branding Styles October CMS Vulnerable to Stored XSS via Branding Styles A cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms: - **Branding and Appearances Styles** A user with the `Customize Backend Styles` permission could inject malicious HTML/JS into the stylesheet input at *Settings → Branding & Appearance → Styles*. A specially crafted input could break out of the in

CVE-2025-61674 [MEDIUM] CWE-79 October CMS Vulnerable to Stored XSS via Editor and Branding Styles October CMS Vulnerable to Stored XSS via Editor and Branding Styles A cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms: - **Editor Settings Markup Styles** A user with the `Global Editor Settings` permission could inject malicious HTML/JS into the stylesheet input at *Settings → Editor Settings → Markup Styles*. A specially crafted input could

CVE-2024-51991 [LOW] CWE-434 October CMS Allows Unprotected SVG Rename in Media Manager October CMS Allows Unprotected SVG Rename in Media Manager ### Impact This advisory affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .pn

CVE-2024-25637 [LOW] CWE-79 October System module has a Reflected XSS via X-October-Request-Handler Header October System module has a Reflected XSS via X-October-Request-Handler Header ### Impact The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception too

CVE-2024-24764 [LOW] CWE-601 October System module has an Open Redirect for Administrator Accounts October System module has an Open Redirect for Administrator Accounts ### Impact This advisory affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (`october://`) allowed external links, therefore allowing an open redirect outside the scope of the active host. This vulnerability assumes a trusted

CVE-2023-44382 [CRITICAL] CWE-94 October CMS safe mode bypass using Twig sandbox escape October CMS safe mode bypass using Twig sandbox escape ### Impact An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem f

CVE-2023-44383 [MEDIUM] CWE-79 October CMS stored XSS by authenticated backend user with improper configuration October CMS stored XSS by authenticated backend user with improper configuration ### Impact A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. SVG files are supported by default in v3 for convenience; however, this has resulted in multiple

CVE-2023-44381 [MEDIUM] CWE-94 October CMS safe mode bypass using Page template injection October CMS safe mode bypass using Page template injection ### Impact An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a special request to include PHP code in the CMS template. This is not a problem for anyon

CVE-2022-35944 [HIGH] CWE-94 October CMS Safe Mode bypass leads to authenticated Remote Code Execution October CMS Safe Mode bypass leads to authenticated Remote Code Execution ### Impact This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to in

CVE-2022-24800 [HIGH] CWE-362 October CMS upload process vulnerable to RCE via Race Condition October CMS upload process vulnerable to RCE via Race Condition ### Impact This advisory affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interface. This vulnerability does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. When the developer allows the user to specify their own file

CVE-2022-23655 [MEDIUM] CWE-347 Missing server signature validation in OctoberCMS Missing server signature validation in OctoberCMS ### Impact This advisory affects authors of plugins and themes listed on the October CMS marketplace where an end-user will inadvertently expose authors to potential financial loss by entering their private license key into a compromised server. It has been disclosed that a project fork of October CMS v1.0 is using a compromised gateway to access the October CMS

CVE-2022-21705 [HIGH] CWE-74 Authenticated remote code execution in October CMS Authenticated remote code execution in October CMS ### Impact An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. - This issue only affects admin panels that rely on safe mode and restricted permissions. - To exploit this vulnerability, an attacker must first have ac

CVE-2021-32650 [HIGH] CWE-74 october/system arbitrary code execution october/system arbitrary code execution ### Impact Assuming an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents PHP execution in the CMS templates. ### Patches Issue has been patched in Build 473 and v1.1.6 ### Workarounds Apply https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26 to your

CVE-2021-32649 [HIGH] CWE-74 October/System authenticated file write leads to remote code execution October/System authenticated file write leads to remote code execution ### Impact Assuming an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup. ### Patches Issue has been patched in Build 473 and v1.1.6 ### Workarounds Apply https://github.com/octobercms/october/commit/1

CVE-2021-41126 [HIGH] CWE-287 Deleted Admin Can Sign In to Admin Interface Deleted Admin Can Sign In to Admin Interface ### Impact Assuming an administrator once had previous access to the admin interface, they may still be able to sign in to the backend using October CMS v2.0. ### Patches The issue has been patched in v2.1.12 ### Workarounds - Reset the password of the deleted accounts to prevent them from signing in. - Please contact [email protected] for code change instructions if yo