CVE-2021-32648 HIGH

CVE-2021-32648: Account Takeover in Octobercms

Vendor Octobercms
Product october
Weakness CWE-287 · Improper authentication
KEV Status Known Exploited
Published August 26, 2021
Last update October 21, 2025

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

August 26, 2021 CVE published
October 21, 2025 Record updated