CVE-2025-61674

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.13 October versions prior to 4.0.12

Description October is a Content Management System (CMS) and web platform. A cross-site scripting (XSS) issue exists in October CMS backend configuration forms. A user possessing the Global Editor Settings permission can inject malicious HTML/JS into the stylesheet input at Markup Styles. A crafted input can bypass the intended context, enabling arbitrary script execution across backend pages for all users. The vulnerability affects the backend configuration forms and specifically involves the stylesheet input at Markup Styles.

Recommendations Update to October version 3.7.13 or later. Update to October version 4.0.12 or later.