Octobercms October vulnerabilities
58 known vulnerabilities affecting octobercms/october.
Total CVEs
58
CISA KEV
1
actively exploited
Public exploits
7
Exploited in wild
1
Severity breakdown
CRITICAL6HIGH14MEDIUM35LOW3
Vulnerabilities
Page 2 of 3
CVE-2017-1000195P3HIGHCVSS 7.5≤ 1.0.4122017-11-17
CVE-2017-1000195 [HIGH] CWE-502 CVE-2017-1000195: October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in
October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server.
nvd
CVE-2021-41126P3HIGHCVSS 7.2≥ 2.0.0, < 2.1.12v>= 2.0.0, < 2.1.122021-10-06
CVE-2021-41126 [HIGH] CWE-287 CVE-2021-41126: October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework
October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this i
nvd
CVE-2026-22692P3MEDIUMCVSS 6.8fixed in 3.7.13≥ 4.0.0, < 4.1.5+1 more2026-04-14
CVE-2026-22692 [MEDIUM] CWE-284 CVE-2026-22692: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to
nvd
CVE-2026-26274P3MEDIUMCVSS 6.6v>= 4.0.0, < 4.1.10fixed in 3.7.142026-04-21
CVE-2026-26274 [MEDIUM] CWE-184 CVE-2026-26274: October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnera
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on
nvd
CVE-2023-25365P4HIGHCVSS 7.8v3.2.02024-02-08
CVE-2023-25365 [HIGH] CWE-434 CVE-2023-25365: Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arb
Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type .mp3
nvd
CVE-2020-26231P4MEDIUMCVSS 6.7v1.0.469v1.1.02020-11-23
CVE-2020-26231 [MEDIUM] CVE-2020-26231: October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypas
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to
nvd
CVE-2020-15128P4MEDIUMCVSS 6.3fixed in 1.0.4682020-07-31
CVE-2020-15128 [MEDIUM] CWE-565 CVE-2020-15128: In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cooki
In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your
nvd
CVE-2023-37692P4MEDIUMCVSS 5.4v3.4.42023-07-26
CVE-2023-37692 [MEDIUM] CWE-79 CVE-2023-37692: An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary c
An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file.
nvd
CVE-2026-26067P4MEDIUMCVSS 4.9v>= 4.0.0, < 4.1.10fixed in 3.7.142026-04-21
CVE-2026-26067 [MEDIUM] CWE-184 CVE-2026-26067: October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary file
nvd
CVE-2023-44383P4MEDIUMCVSS 5.4≥ 3.0.0, < 3.5.2v>= 3.0.0, 3.5.22023-11-29
CVE-2023-44383 [MEDIUM] CWE-79 CVE-2023-44383: October is a Content Management System (CMS) and web platform to assist with development workflow. A
October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2.
nvd
CVE-2026-24906P4MEDIUMCVSS 5.4≤ 3.7.13≥ 4.0.0, ≤ 4.1.9+2 more2026-04-14
CVE-2026-24906 [MEDIUM] CWE-79 CVE-2026-24906: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 c
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious value
nvd
CVE-2026-25125P4MEDIUMCVSS 4.9fixed in 3.7.14≥ 4.0.0, < 4.1.10+1 more2026-04-14
CVE-2026-25125 [MEDIUM] CWE-94 CVE-2026-25125: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 c
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP
nvd
CVE-2020-15249P4MEDIUMCVSS 5.4≥ 1.0.319, < 1.0.469v>= 1.0.319, < 1.0.4692020-11-23
CVE-2020-15249 [MEDIUM] CWE-79 CVE-2020-15249: October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In Octo
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this
nvd
CVE-2022-23655P4MEDIUMCVSS 5.3fixed in 1.0.475≥ 1.1.0, < 1.1.11+1 more2022-02-24
CVE-2022-23655 [MEDIUM] CWE-347 CVE-2022-23655: Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of Oc
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to m
nvd
CVE-2020-5296P4MEDIUMCVSS 4.9≥ 1.0.319, < 1.0.466v>= 1.0.319, < 1.0.4662020-06-03
CVE-2020-5296 [MEDIUM] CWE-73 CVE-2020-5296: In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attack
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466).
nvd
CVE-2020-15247P4MEDIUMCVSS 5.2≥ 1.0.319, < 1.0.469v1.0.471+1 more2020-11-23
CVE-2020-15247 [MEDIUM] CWE-862 CVE-2020-15247: October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In Octo
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS
nvd
CVE-2024-51991P4MEDIUMCVSS 4.9fixed in 3.7.52025-05-05
CVE-2024-51991 [MEDIUM] CWE-434 CVE-2024-51991: October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to
October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this
nvd
CVE-2026-24907P4MEDIUMCVSS 5.4≤ 3.7.13≥ 4.0.0, ≤ 4.1.9+2 more2026-04-14
CVE-2026-24907 [MEDIUM] CWE-79 CVE-2026-24907: October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 c
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser c
nvd
CVE-2023-44381P4MEDIUMCVSS 4.9≥ 3.0.0, < 3.4.15v>= 3.0.0, < 3.4.152023-12-01
CVE-2023-44381 [MEDIUM] CWE-94 CVE-2023-44381: October is a Content Management System (CMS) and web platform to assist with development workflow. A
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a spec
nvd
CVE-2017-1000193P4MEDIUMCVSS 6.1≤ 1.0.4122017-11-17
CVE-2017-1000193 [MEDIUM] CWE-79 CVE-2017-1000193: October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in
October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the victim's browser.
nvd