CVE-2025-61674 MEDIUM

CVE-2025-61674: October CMS Vulnerable to Stored XSS via Editor and Branding Styles

Vendor Octobercms
Product october
Weakness CWE-79 · XSS
Published January 10, 2026
Last update January 12, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.

Key dates

02Disclosure timeline

January 10, 2026 CVE published
January 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-32552 WordPress Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics plugin <= 3.2 - Cross Site Scripting (XSS) vulnerability CVE-2022-31187 Stored Cross Site Scripting (XSS) through global search in GLPI CVE-2026-1889 Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute CVE-2022-21662 Stored XSS in WordPress CVE-2024-24839 WordPress Structured Content Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)