Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

15149 matches found

OSV
OSVadded 2026/04/14 10:29 p.m.1 views

GHSA-G6V3-WV4J-X9HG October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

4.9CVSS5.7AI score0.00014EPSS
Exploits0References3
Github Security Blog
Github Security Blogadded 2026/04/14 10:29 p.m.2 views

October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

4.9CVSS5.7AI score0.00014EPSS
Exploits0References3Affected Software1
Snyk
Snykadded 2026/04/14 10:29 p.m.2 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the INI settings parser when environment variable interpolation is processed via the parseinistring function. An attacker with Editor permissions can retrieve sensitive environment variables by injecting...

6.9CVSS5.7AI score0.00014EPSS
Exploits0References2
EUVD
EUVDadded 2026/04/14 10:29 p.m.1 views

EUVD-2026-22704

October Rain has Environment Variable Exfiltration via INI Parser Interpolation...

4.9CVSS5.8AI score0.00014EPSS
Exploits0References2
NVD
NVDadded 2026/04/14 9:16 p.m.1 views

CVE-2026-25125

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

4.9CVSS0.00014EPSS
Exploits0References1
CVE
CVEadded 2026/04/14 8:39 p.m.3 views

CVE-2026-25125

CVE-2026-25125 affects October CMS versions prior to 3.7.14 and 4.1.10. The issue is a server-side information disclosure in the INI settings parser: if cms.safe_mode is enabled, an Editor user can inject patterns like ${APP_KEY} or ${DB_PASSWORD} via parse_ini_string() through page settings, cau...

4.9CVSS5.8AI score0.00014EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/04/14 8:39 p.m.1 views

CVE-2026-25125

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

4.9CVSS5.8AI score0.00014EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/14 8:39 p.m.1 views

CVE-2026-25125 October CMS: Environment Variable Exfiltration via INI Parser Interpolation

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

4.9CVSS5.8AI score0.00014EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/04/14 8:39 p.m.15 views

CVE-2026-25125 October CMS: Environment Variable Exfiltration via INI Parser Interpolation

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parseinistring function supports $ syntax for environment variable interpolation, attackers with...

4.9CVSS0.00014EPSS
Exploits0References1
Snyk
Snykadded 2026/04/14 8:2 p.m.1 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the mail preview feature of the Event Log, where HTML content is rendered in an iframe without proper sandboxing. An attacker can execute arbitrary JavaScript in the context of a privileged user's browser by...

5.4CVSS5.7AI score0.00037EPSS
Exploits0References2
OSV
OSVadded 2026/04/14 8:2 p.m.1 views

GHSA-6QMH-J78V-FFP7 October CMS has Stored XSS in Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

5.4CVSS5.8AI score0.00012EPSS
Exploits0References3
EUVD
EUVDadded 2026/04/14 8:2 p.m.1 views

EUVD-2026-22659

October CMS has Stored XSS in Backend Editor Markup Classes...

5.1CVSS5.8AI score0.00012EPSS
Exploits0References2
Snyk
Snykadded 2026/04/14 8:2 p.m.1 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the processing of the Markup Classes fields within the backend editor settings. An attacker can execute arbitrary JavaScript code in the context of users who open a RichEditor by injecting malicious values th...

6.1CVSS5.8AI score0.00012EPSS
Exploits0References2
Github Security Blog
Github Security Blogadded 2026/04/14 8:2 p.m.5 views

October CMS has Stored XSS in Backend Editor Markup Classes

A stored cross-site scripting XSS vulnerability was identified in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala...

5.4CVSS5.8AI score0.00012EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVEadded 2026/04/14 7:23 p.m.3 views

CVE-2026-39640

Cross-Site Request Forgery CSRF vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through = 3.2...

9.6CVSS5.8AI score0.00021EPSS
Exploits0References1
RedhatCVE
RedhatCVEadded 2026/04/14 7:23 p.m.1 views

CVE-2026-39516

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through = 4.7.0...

5.3CVSS5.8AI score0.00039EPSS
Exploits0References1
NVD
NVDadded 2026/04/14 6:16 p.m.0 views

CVE-2026-24906

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

5.4CVSS0.00012EPSS
Exploits0References1
CVE
CVEadded 2026/04/14 5:23 p.m.4 views

CVE-2026-24906

October CMS versions 3.7.0–3.7.13 and 4.1.0–4.1.9 are affected by a Stored XSS in Backend Editor Settings. The vulnerability stems from unsanitized input in the Markup Classes field used for paragraph, inline, and table styles, which could render JavaScript in Froala editor dropdowns when a user ...

5.4CVSS5.9AI score0.00012EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/14 5:23 p.m.3 views

CVE-2026-24906 October CMS has Stored XSS in its Backend Editor Markup Classes

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

5.1CVSS5.9AI score0.00012EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/04/14 5:23 p.m.22 views

CVE-2026-24906 October CMS has Stored XSS in its Backend Editor Markup Classes

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting XSS vulnerability in the Backend Editor Settings. The Markup Classes fields used for paragraph styles, inline styles, table styles, etc. did not sanitize input to...

5.1CVSS0.00012EPSS
Exploits0References1
Rows per page
Query Builder