Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.
AnalysisAI
Stored XSS in October CMS versions before 3.7.14 and 4.1.10 allows authenticated users with media upload permissions to bypass SVG sanitization regex patterns and inject malicious JavaScript through crafted SVG files. When a superuser or other high-privileged user views or embeds the malicious SVG, the payload executes in their browser context, enabling privilege escalation. The vulnerability requires both authenticated backend access and user interaction (viewing/embedding the SVG), resulting in a CVSS 4.8 (Medium) rating; no public exploit code has been identified at time of analysis.
Technical ContextAI
October CMS implements SVG sanitization to prevent malicious payloads in media uploads, using a regex pattern designed to strip event handler attributes such as onclick, onload, onmouseover, and similar DOM event handlers. The vulnerability stems from an insufficient regex pattern (CWE-79: Improper Neutralization of Input During Web Page Generation) that fails to account for all valid attribute boundary conditions in SVG markup. Attackers can craft SVG payloads that exploit whitespace handling, quote variations, or other regex bypass techniques to keep event handlers intact. Since SVG files are processed through the Media Manager and later embedded in pages via October's content rendering system, the injected JavaScript executes within the security context of any user who views or embeds the SVG, potentially allowing lateral privilege escalation when a superuser is the victim.
RemediationAI
Upgrade October CMS immediately to version 3.7.14 (for 3.x deployments) or 4.1.10 (for 4.x deployments) or later. These releases include corrected SVG sanitization regex patterns that properly strip event handler attributes. Organizations unable to patch immediately should implement a workaround by restricting SVG upload permissions to superusers only and auditing existing SVG files for suspicious event handler patterns; however, patching is the definitive fix. Consult the October security advisory at https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr for platform-specific installation instructions.
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise
An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely
octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for po
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulner
October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vu
October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromis
October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating
October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG fil
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrar
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary w
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22705
GHSA-gcqv-f29m-67gr