PT-2026-1833 · Octobercms · October
Published
2026-01-09
·
Updated
2026-01-10
·
CVE-2025-61676
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
October versions prior to 3.7.13
October versions prior to 4.0.12
Description
October is a Content Management System (CMS) and web platform. A cross-site scripting (XSS) issue exists in October CMS backend configuration forms. A user possessing the Customize Backend Styles permission can inject malicious HTML/JS into the stylesheet input located at Styles within the Branding & Appearance settings. A carefully constructed input can bypass the intended
<style> context, potentially enabling arbitrary script execution across backend pages for all users.Recommendations
Update to October version 3.7.13 or later.
Update to October version 4.0.12 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
October