Skip to main content

October

57 CVEs product

Monthly

CVE-2026-29179 PHP LOW PATCH GHSA Monitor

October CMS versions prior to 3.7.16 and 4.1.16 fail to enforce fine-grained sub-permission checks for asset and blueprint file operations in the CMS and Tailor editor extensions, allowing backend users with editor access but explicitly withheld editor.cms_assets or editor.tailor_blueprints permissions to perform unauthorized file operations (create, delete, rename, move, upload) on theme assets and blueprint files. Additionally, an operator precedence error discloses the theme blueprint directory tree under the same conditions. This affects an uncommon permission configuration where high-privileged users have granular restrictions selectively applied.

Authentication Bypass October
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-27937 PHP LOW PATCH GHSA Monitor

Reflected cross-site scripting (XSS) in October CMS backend DataTable widget allows unauthenticated remote attackers to inject arbitrary JavaScript via a query parameter, requiring user interaction to execute malicious code. The vulnerability affects versions prior to 3.7.16 and 4.1.16, with a low severity CVSS score of 3.1 reflecting the requirement for high attack complexity and user clicking a malicious link.

XSS October
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-26274 PHP MEDIUM PATCH GHSA This Month

October CMS versions prior to 3.7.14 and 4.1.10 allow backend developers with Developer permissions to bypass Twig sandbox restrictions and execute unauthorized database write operations (insert, update, delete) via the query builder when cms.safe_mode is enabled. This privilege escalation vulnerability enables data manipulation on any database table despite sandbox security policies intended to restrict template functionality.

Information Disclosure October
NVD GitHub
CVSS 3.1
6.6
EPSS
0.1%
CVE-2026-26067 PHP MEDIUM PATCH GHSA This Month

October CMS versions prior to 3.7.14 and 4.1.10 allow authenticated backend users with Editor permissions to read arbitrary server files by crafting malicious CSS preprocessor files (.less, .sass, .scss) that exploit the compiler's import functionality. The vulnerability persists even when cms.safe_mode is enabled, enabling high-confidence information disclosure of sensitive configuration files, credentials, and application source code without requiring administrative privileges.

Authentication Bypass Information Disclosure October
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-25133 PHP MEDIUM PATCH GHSA This Month

Stored XSS in October CMS versions before 3.7.14 and 4.1.10 allows authenticated users with media upload permissions to bypass SVG sanitization regex patterns and inject malicious JavaScript through crafted SVG files. When a superuser or other high-privileged user views or embeds the malicious SVG, the payload executes in their browser context, enabling privilege escalation. The vulnerability requires both authenticated backend access and user interaction (viewing/embedding the SVG), resulting in a CVSS 4.8 (Medium) rating; no public exploit code has been identified at time of analysis.

Privilege Escalation XSS October
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-24907 PHP MEDIUM PATCH GHSA This Month

Stored cross-site scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated users with Event Log viewing permissions to execute arbitrary JavaScript in other users' browsers via malicious HTML content in the mail preview iframe. The vulnerability stems from improper iframe sandboxing when rendering logged email messages, affecting confidentiality and integrity with a CVSS score of 5.1. No public exploit code has been identified at the time of analysis.

XSS October
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-24906 PHP MEDIUM PATCH GHSA This Month

Stored Cross-Site Scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated backend users with editor settings permissions to inject malicious JavaScript into Markup Classes fields, which executes unsanitized in the Froala editor dropdown menus when any user-including superusers-opens a RichEditor. This enables privilege escalation when a superuser performs routine content editing tasks. CVSS 5.1 indicates moderate risk; exploitation requires authenticated backend access and user interaction (opening an editor), but the stored nature of the payload and privilege escalation potential elevate real-world concern. No public exploit code or active CISA KEV status reported.

Privilege Escalation XSS October
NVD GitHub
CVSS 4.0
5.1
EPSS
0.1%
CVE-2026-22692 PHP MEDIUM PATCH GHSA This Month

Sandbox bypass in October CMS versions prior to 3.7.13 and 4.0.0-4.1.4 allows authenticated users with template editing permissions to bypass the optional Twig safe mode (CMS_SAFE_MODE) protections via unrestricted collect() helper methods. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with the non-default CMS_SAFE_MODE feature enabled. Fixed in versions 3.7.13 and 4.1.5.

Authentication Bypass October
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-61676 PHP MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. [CVSS 6.1 MEDIUM]

XSS October
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-61674 PHP MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. [CVSS 6.1 MEDIUM]

XSS October
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-51991 PHP LOW PATCH Monitor

October is a Content Management System (CMS) and web platform. Rated low severity (CVSS 1.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload October
NVD GitHub
CVSS 4.0
1.1
EPSS
0.3%
CVE-2024-45962 PHP MEDIUM POC This Month

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS October
NVD
CVSS 3.1
4.7
EPSS
0.5%
CVE-2024-25837 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in October CMS Bloghub Plugin v1.3.8 and lower allows attackers to execute arbitrary web scripts or HTML via a crafted payload into the Comments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS October
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-25637 PHP MEDIUM PATCH This Month

October is a self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS October
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-24764 PHP MEDIUM PATCH This Month

October is a self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Open Redirect October
NVD GitHub
CVSS 3.1
4.8
EPSS
0.3%
CVE-2023-44382 PHP CRITICAL PATCH Act Now

October is a Content Management System (CMS) and web platform to assist with development workflow. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP October
NVD GitHub
CVSS 3.1
9.1
EPSS
0.9%
CVE-2023-44381 PHP MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform to assist with development workflow. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP October
NVD GitHub
CVSS 3.1
4.9
EPSS
0.5%
CVE-2023-44383 PHP MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform to assist with development workflow. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS October
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-43876 MEDIUM POC This Month

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS October
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-37692 PHP MEDIUM POC This Month

An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload XSS October
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-35944 PHP HIGH PATCH This Week

October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Code Injection October
NVD GitHub
CVSS 3.1
7.2
EPSS
0.9%
CVE-2022-24800 PHP HIGH PATCH This Week

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

PHP Race Condition RCE October
NVD GitHub
CVSS 3.1
8.1
EPSS
1.4%
CVE-2022-23655 PHP MEDIUM PATCH This Month

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required.

PHP Jwt Attack Information Disclosure October
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-21705 PHP HIGH POC PATCH This Week

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP RCE October
NVD GitHub
CVSS 3.1
7.2
EPSS
8.7%
CVE-2021-41126 PHP HIGH PATCH This Week

October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Authentication Bypass October
NVD GitHub
CVSS 3.1
7.2
EPSS
1.1%
CVE-2021-32648 PHP CRITICAL POC KEV PATCH THREAT Act Now

octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

PHP Authentication Bypass October
NVD GitHub
CVSS 3.1
9.1
EPSS
90.4%
CVE-2021-29487 PHP HIGH PATCH This Week

octobercms in a CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

PHP Authentication Bypass October
NVD GitHub
CVSS 3.1
7.4
EPSS
0.9%
CVE-2021-21264 PHP MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

PHP Authentication Bypass October
NVD GitHub
CVSS 3.1
5.2
EPSS
0.3%
CVE-2021-21265 PHP HIGH PATCH This Week

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Information Disclosure October
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-3311 PHP CRITICAL POC PATCH Act Now

An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Information Disclosure October
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2020-26231 PHP MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass PHP October
NVD GitHub
CVSS 3.1
6.7
EPSS
0.3%
CVE-2020-15249 PHP MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP October
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2020-15248 PHP MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass PHP October
NVD GitHub
CVSS 3.1
4.2
EPSS
0.3%
CVE-2020-15247 PHP MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass PHP October
NVD GitHub
CVSS 3.1
5.2
EPSS
0.3%
CVE-2020-15246 PHP HIGH PATCH This Week

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass PHP October
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2020-15128 PHP MEDIUM PATCH This Month

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable.

Information Disclosure October
NVD GitHub
CVSS 3.1
6.3
EPSS
0.7%
CVE-2020-11083 PHP MEDIUM POC PATCH This Month

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-4061 PHP MEDIUM POC PATCH This Month

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2020-5299 PHP MEDIUM PATCH This Month

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection October
NVD GitHub
CVSS 3.1
5.1
EPSS
1.0%
CVE-2020-5298 PHP MEDIUM POC PATCH This Month

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
CVSS 3.1
4.8
EPSS
0.9%
CVE-2020-5297 PHP LOW POC PATCH Monitor

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff,. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure October
NVD GitHub
CVSS 3.1
2.7
EPSS
1.2%
CVE-2020-5296 PHP MEDIUM POC PATCH This Month

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure October
NVD GitHub
CVSS 3.1
4.9
EPSS
1.4%
CVE-2020-5295 PHP MEDIUM POC PATCH This Month

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure LFI PHP October
NVD GitHub Exploit-DB
CVSS 3.1
4.9
EPSS
7.4%
CVE-2018-1999009 PHP HIGH PATCH This Week

October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Information Disclosure PHP October
NVD
CVSS 3.0
8.1
EPSS
2.4%
CVE-2018-1999008 MEDIUM PATCH This Month

October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS October
NVD
CVSS 3.0
5.4
EPSS
0.5%
CVE-2018-7198 PHP MEDIUM POC PATCH This Month

October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS October
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
2.4%
CVE-2017-16941 HIGH This Week

October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload October
NVD GitHub
CVSS 3.0
8.8
EPSS
0.5%
CVE-2017-1000197 CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating malicious files on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure October
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2017-1000196 CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly other applications on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection PHP October
NVD GitHub
CVSS 3.0
9.8
EPSS
1.1%
CVE-2017-1000195 HIGH PATCH This Week

October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP October
NVD GitHub
CVSS 3.0
7.5
EPSS
0.2%
CVE-2017-1000194 PHP CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Apache File Upload October
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2017-1000193 PHP MEDIUM PATCH This Month

October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the victim's browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE October
NVD GitHub
CVSS 3.0
6.1
EPSS
0.4%
CVE-2017-16244 PHP HIGH POC PATCH This Week

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF October
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
0.4%
CVE-2017-15284 PHP MEDIUM POC PATCH This Month

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub Exploit-DB
CVSS 3.0
5.4
EPSS
1.7%
CVE-2017-1000119 PHP HIGH POC THREAT Act Now

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.2%.

RCE PHP File Upload October
NVD Exploit-DB
CVSS 3.0
7.2
EPSS
76.2%
Threat
5.2
CVE-2015-5613 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving a file title, a different. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2015-5612 PHP MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS October
NVD GitHub
CVSS 2.0
4.3
EPSS
0.3%
EPSS 0% CVSS 3.3
LOW PATCH Monitor

October CMS versions prior to 3.7.16 and 4.1.16 fail to enforce fine-grained sub-permission checks for asset and blueprint file operations in the CMS and Tailor editor extensions, allowing backend users with editor access but explicitly withheld editor.cms_assets or editor.tailor_blueprints permissions to perform unauthorized file operations (create, delete, rename, move, upload) on theme assets and blueprint files. Additionally, an operator precedence error discloses the theme blueprint directory tree under the same conditions. This affects an uncommon permission configuration where high-privileged users have granular restrictions selectively applied.

Authentication Bypass October
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Reflected cross-site scripting (XSS) in October CMS backend DataTable widget allows unauthenticated remote attackers to inject arbitrary JavaScript via a query parameter, requiring user interaction to execute malicious code. The vulnerability affects versions prior to 3.7.16 and 4.1.16, with a low severity CVSS score of 3.1 reflecting the requirement for high attack complexity and user clicking a malicious link.

XSS October
NVD GitHub
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

October CMS versions prior to 3.7.14 and 4.1.10 allow backend developers with Developer permissions to bypass Twig sandbox restrictions and execute unauthorized database write operations (insert, update, delete) via the query builder when cms.safe_mode is enabled. This privilege escalation vulnerability enables data manipulation on any database table despite sandbox security policies intended to restrict template functionality.

Information Disclosure October
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

October CMS versions prior to 3.7.14 and 4.1.10 allow authenticated backend users with Editor permissions to read arbitrary server files by crafting malicious CSS preprocessor files (.less, .sass, .scss) that exploit the compiler's import functionality. The vulnerability persists even when cms.safe_mode is enabled, enabling high-confidence information disclosure of sensitive configuration files, credentials, and application source code without requiring administrative privileges.

Authentication Bypass Information Disclosure October
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Stored XSS in October CMS versions before 3.7.14 and 4.1.10 allows authenticated users with media upload permissions to bypass SVG sanitization regex patterns and inject malicious JavaScript through crafted SVG files. When a superuser or other high-privileged user views or embeds the malicious SVG, the payload executes in their browser context, enabling privilege escalation. The vulnerability requires both authenticated backend access and user interaction (viewing/embedding the SVG), resulting in a CVSS 4.8 (Medium) rating; no public exploit code has been identified at time of analysis.

Privilege Escalation XSS October
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated users with Event Log viewing permissions to execute arbitrary JavaScript in other users' browsers via malicious HTML content in the mail preview iframe. The vulnerability stems from improper iframe sandboxing when rendering logged email messages, affecting confidentiality and integrity with a CVSS score of 5.1. No public exploit code has been identified at the time of analysis.

XSS October
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored Cross-Site Scripting (XSS) in October CMS versions prior to 3.7.14 and 4.1.10 allows authenticated backend users with editor settings permissions to inject malicious JavaScript into Markup Classes fields, which executes unsanitized in the Froala editor dropdown menus when any user-including superusers-opens a RichEditor. This enables privilege escalation when a superuser performs routine content editing tasks. CVSS 5.1 indicates moderate risk; exploitation requires authenticated backend access and user interaction (opening an editor), but the stored nature of the payload and privilege escalation potential elevate real-world concern. No public exploit code or active CISA KEV status reported.

Privilege Escalation XSS October
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Sandbox bypass in October CMS versions prior to 3.7.13 and 4.0.0-4.1.4 allows authenticated users with template editing permissions to bypass the optional Twig safe mode (CMS_SAFE_MODE) protections via unrestricted collect() helper methods. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with the non-default CMS_SAFE_MODE feature enabled. Fixed in versions 3.7.13 and 4.1.5.

Authentication Bypass October
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. [CVSS 6.1 MEDIUM]

XSS October
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. [CVSS 6.1 MEDIUM]

XSS October
NVD GitHub
EPSS 0% CVSS 1.1
LOW PATCH Monitor

October is a Content Management System (CMS) and web platform. Rated low severity (CVSS 1.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

File Upload October
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM POC This Month

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS October
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in October CMS Bloghub Plugin v1.3.8 and lower allows attackers to execute arbitrary web scripts or HTML via a crafted payload into the Comments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS October
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

October is a self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS October
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

October is a self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Open Redirect October
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

October is a Content Management System (CMS) and web platform to assist with development workflow. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP +1
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform to assist with development workflow. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection PHP +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

October is a Content Management System (CMS) and web platform to assist with development workflow. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS October
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS October
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload XSS +1
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

PHP Race Condition RCE +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required.

PHP Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 9% CVSS 7.2
HIGH POC PATCH This Week

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP RCE October
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Authentication Bypass October
NVD GitHub
EPSS 90% CVSS 9.1
CRITICAL POC KEV PATCH THREAT Act Now

octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

PHP Authentication Bypass October
NVD GitHub
EPSS 1% CVSS 7.4
HIGH PATCH This Week

octobercms in a CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

PHP Authentication Bypass October
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

PHP Authentication Bypass October
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP Information Disclosure October
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Information Disclosure October
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass PHP October
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PHP October
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass PHP October
NVD GitHub
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass PHP October
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass PHP October
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable.

Information Disclosure October
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
EPSS 1% CVSS 5.1
MEDIUM PATCH This Month

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection October
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
EPSS 1% CVSS 2.7
LOW POC PATCH Monitor

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff,. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure October
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM POC PATCH This Month

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure October
NVD GitHub
EPSS 7% CVSS 4.9
MEDIUM POC PATCH This Month

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure LFI PHP +1
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.1
HIGH PATCH This Week

October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Information Disclosure PHP +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS October
NVD
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS October
NVD Exploit-DB
EPSS 1% CVSS 8.8
HIGH This Week

October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload October
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating malicious files on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure October
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly other applications on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection PHP +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization PHP October
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Apache File Upload October
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the victim's browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS RCE October
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF October
NVD GitHub Exploit-DB
EPSS 2% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub Exploit-DB
EPSS 76% 5.2 CVSS 7.2
HIGH POC THREAT Act Now

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 76.2%.

RCE PHP File Upload +1
NVD Exploit-DB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving a file title, a different. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS October
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS October
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy