CVE-2026-25133

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10

Description A stored cross-site scripting (XSS) issue exists in the SVG sanitization logic. The regex pattern used to strip event handler attributes, such as onclick or onload, can be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries. This allows malicious SVG files with embedded JavaScript to be uploaded through the Media Manager. Exploitation requires authenticated backend access with media.library.create permissions and occurs when the SVG is viewed or embedded in a page. This could lead to privilege escalation if a superuser views the file.

Recommendations Update to version 3.7.14. Update to version 4.1.10. Disable SVG uploads by adding svg to the blocked extensions in media configuration. Set media.clean vectors to true in configuration.