Octobercms October vulnerabilities

CVE-2026-26067 [MEDIUM] CWE-184 CVE-2026-26067: October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server- October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary file

CVE-2026-26274 [MEDIUM] CWE-184 CVE-2026-26274: October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnera October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on

CVE-2026-27937 [LOW] CWE-79 CVE-2026-27937: October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflect October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.

CVE-2026-29179 [LOW] CWE-863 CVE-2026-29179: October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grai October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints s

CVE-2026-22692 [MEDIUM] CWE-284 CVE-2026-22692: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to

CVE-2026-24907 [MEDIUM] CWE-79 CVE-2026-24907: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 c October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser c

CVE-2026-25133 [MEDIUM] CWE-79 CVE-2026-25133: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 c October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches

CVE-2026-25125 [MEDIUM] CWE-94 CVE-2026-25125: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 c October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP

CVE-2026-24906 [MEDIUM] CWE-79 CVE-2026-24906: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 c October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious value

CVE-2025-61674 [MEDIUM] CWE-79 CVE-2025-61674: October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input

CVE-2025-61676 [MEDIUM] CWE-79 CVE-2025-61676: October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance set

CVE-2024-51991 [LOW] CWE-434 CVE-2024-51991: October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this pr

CVE-2024-45962 [MEDIUM] CWE-79 CVE-2024-45962: October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaS October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target.

CVE-2024-25837 [MEDIUM] CWE-79 CVE-2024-25837: A stored cross-site scripting (XSS) vulnerability in October CMS Bloghub Plugin v1.3.8 and lower all A stored cross-site scripting (XSS) vulnerability in October CMS Bloghub Plugin v1.3.8 and lower allows attackers to execute arbitrary web scripts or HTML via a crafted payload into the Comments section.

CVE-2024-25637 [MEDIUM] CWE-79 CVE-2024-25637: October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Hand October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a

CVE-2024-24764 [MEDIUM] CWE-601 CVE-2024-24764: October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authent October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (`october://`) allowed external links, therefore allowing an open redirect outside the scope of the active host.

CVE-2023-25365 [HIGH] CWE-434 CVE-2023-25365: Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arb Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type .mp3

CVE-2023-44382 [CRITICAL] CWE-94 CVE-2023-44382: October is a Content Management System (CMS) and web platform to assist with development workflow. A October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write spec

CVE-2023-44381 [MEDIUM] CWE-94 CVE-2023-44381: October is a Content Management System (CMS) and web platform to assist with development workflow. A October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a spec

CVE-2023-44383 [MEDIUM] CWE-79 CVE-2023-44383: October is a Content Management System (CMS) and web platform to assist with development workflow. A October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2.