CVE-2026-26067

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the...

October CMS: Reflected XSS via DataTable Form Widget

A reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed ...

EUVD-2026-24155

October CMS has Safe Mode Bypass via Twig Database Write Operations...

GHSA-H6JM-F4HH-FW27 October CMS has Safe Mode Bypass via Twig Database Write Operations

A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query...

EUVD-2026-24153

October CMS has Safe Mode Bypass via CSS Preprocessor Compilers...

GHSA-3888-Q23F-X7QH October CMS has Safe Mode Bypass via CSS Preprocessor Compilers

A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even...

CVE-2026-27937 October: Reflected XSS via DataTable Form Widget

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

CVE-2026-27937 October: Reflected XSS via DataTable Form Widget

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

CVE-2026-27937

CVE-2026-27937 concerns the October CMS platform. Affected versions prior to 3.7.16 and 4.1.16 have a vulnerability in the backend DataTable widget where a query parameter is rendered without proper output escaping, resulting in a reflected Cross-Site Scripting (XSS) condition. The root cause is ...

CVE-2026-26274

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-26274 October: Safe Mode Bypass via Twig Database Write Operations

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-26067

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the...

October 跨站脚本漏洞

October is an open-source content management system CMS and network platform developed by October. Versions prior to October 3.7.16 and 4.1.16 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient escaping of query parameters during the rendering of the...

October CMS Has Stored XSS In Event Log Mail Preview

A stored cross-site scripting XSS vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. Impact - Stored XSS via mail...

October CMS Has Stored XSS In Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

CVE-2026-25133 October CMS has Stored XSS via SVG Filter Bypass

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting XSS vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes such as onclick or onload could be bypassed using a...

CVE-2026-25133 October CMS has Stored XSS via SVG Filter Bypass

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting XSS vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes such as onclick or onload could be bypassed using a...

CVE-2026-25133

CVE-2026-25133 affects October CMS prior to 3.7.14 and 4.1.10, where a stored XSS can be injected via crafted SVGs uploaded through the Media Manager due to a bypass in the SVG sanitization regex. The vulnerability requires authenticated backend access with media upload permissions and triggers w...

CVE-2026-25125

CVE-2026-25125 affects October CMS versions prior to 3.7.14 and 4.1.10. The issue is a server-side information disclosure in the INI settings parser: if cms.safe_mode is enabled, an Editor user can inject patterns like ${APP_KEY} or ${DB_PASSWORD} via parse_ini_string() through page settings, cau...

CVE-2026-25125 October CMS: Environment Variable Exfiltration via INI Parser Interpolation

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...