CVE-2025-61676 MEDIUM

CVE-2025-61676: October CMS Vulnerable to Stored XSS via Branding Styles

Vendor Octobercms
Product october
Weakness CWE-79 · XSS
Published January 10, 2026
Last update January 12, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.

Key dates

02Disclosure timeline

January 10, 2026 CVE published
January 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-2458 Powerkit – Supercharge your WordPress Site <= 2.9.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2024-10806 PHPGurukul Hospital Management System betweendates-detailsreports.php cross site scripting CVE-2023-3681 Campcodes Retro Cellphone Online Store modal_add_product.php cross site scripting CVE-2025-4172 VerticalResponse Newsletter Widget <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2023-38063