CVE-2025-61676

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.13 October versions prior to 4.0.12

Description October is a Content Management System (CMS) and web platform. A cross-site scripting (XSS) issue exists in October CMS backend configuration forms. A user possessing the Customize Backend Styles permission can inject malicious HTML/JS into the stylesheet input located at Styles within the Branding & Appearance settings. A carefully constructed input can bypass the intended <style> context, potentially enabling arbitrary script execution across backend pages for all users.

Recommendations Update to October version 3.7.13 or later. Update to October version 4.0.12 or later.