october/system Security Advisories (23)
-
[LOW] October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations
PKSA-h2tj-db1h-m5mf CVE-2026-29179 GHSA-jvwg-phxx-j3rp
Affected version: <3.7.16|>=4.0.0,<4.1.16
Reported by:
GitHub -
[LOW] October CMS: Reflected XSS via DataTable Form Widget
PKSA-drxd-zbt8-s1kh CVE-2026-27937 GHSA-jj38-h5w5-mvpf
Affected version: >=4.0.0,<4.1.16|<3.7.16
Reported by:
GitHub -
[MEDIUM] October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
PKSA-4k1j-qzgm-rvr3 CVE-2026-26067 GHSA-3888-q23f-x7qh
Affected version: >=4.0.0,<4.1.10|<3.7.14
Reported by:
GitHub -
[MEDIUM] October CMS has Stored XSS in Event Log Mail Preview
PKSA-57nm-kh7g-ddrg CVE-2026-24907 GHSA-j4j5-9x6g-rgxc
Affected version: <=3.7.13|>=4.0.0,<=4.1.9
Reported by:
GitHub -
[MEDIUM] October CMS has Stored XSS in Backend Editor Markup Classes
PKSA-44b4-zdw9-q1j5 CVE-2026-24906 GHSA-6qmh-j78v-ffp7
Affected version: <=3.7.13|>=4.0.0,<=4.1.9
Reported by:
GitHub -
[MEDIUM] October CMS Vulnerable to Stored XSS via Branding Styles
PKSA-bbp3-wdjz-b51v CVE-2025-61676 GHSA-wvpq-h33f-8rp6
Affected version: >=4.0.0,<=4.0.11|<=3.7.12
Reported by:
GitHub -
[MEDIUM] October CMS Vulnerable to Stored XSS via Editor and Branding Styles
PKSA-4qp4-vb8r-g3zj CVE-2025-61674 GHSA-gxxc-m74c-f48x
Affected version: >=4.0.0,<=4.0.11|<=3.7.12
Reported by:
GitHub -
[LOW] October CMS Allows Unprotected SVG Rename in Media Manager
PKSA-q2z3-dfft-h9n9 CVE-2024-51991 GHSA-96hh-8hx5-cpw7
Affected version: <3.7.5
Reported by:
GitHub -
[LOW] October System module has an Open Redirect for Administrator Accounts
PKSA-p3z9-vbzt-z2jz CVE-2024-24764 GHSA-v2vf-jv88-3fp5
Affected version: >=3.2,<3.5.15
Reported by:
GitHub -
[LOW] October System module has a Reflected XSS via X-October-Request-Handler Header
PKSA-j6q3-mjmd-wqfs CVE-2024-25637 GHSA-rjw8-v7rr-r563
Affected version: >=3.2,<3.5.15
Reported by:
GitHub -
[MEDIUM] October CMS stored XSS by authenticated backend user with improper configuration
PKSA-nq4f-mpv2-n3ph CVE-2023-44383 GHSA-rvx8-p3xp-fj3p
Affected version: >=3.0.0,<3.5.2
Reported by:
GitHub -
[CRITICAL] October CMS safe mode bypass using Twig sandbox escape
PKSA-mp4c-pdx9-4t88 CVE-2023-44382 GHSA-p8q3-h652-65vx
Affected version: >=3.0.0,<3.4.15
Reported by:
GitHub -
[MEDIUM] October CMS safe mode bypass using Page template injection
PKSA-h48h-31f5-knv7 CVE-2023-44381 GHSA-q22j-5r3g-9hmh
Affected version: >=3.0.0,<3.4.15
Reported by:
GitHub -
[HIGH] October CMS Safe Mode bypass leads to authenticated Remote Code Execution
PKSA-91zd-f7p3-qtvm CVE-2022-35944 GHSA-x4q7-m6fp-4v9v
Affected version: >=2.0.0,<2.2.34|>=3.0.0,<3.0.66
Reported by:
GitHub -
[HIGH] October CMS upload process vulnerable to RCE via Race Condition
PKSA-yr75-7y9f-cxw9 CVE-2022-24800 GHSA-8v7h-cpc2-r8jp
Affected version: >=2.0.0,<2.2.15|>=1.1.0,<1.1.12|<1.0.476
Reported by:
GitHub -
[MEDIUM] Missing server signature validation in OctoberCMS
PKSA-9y13-4h42-rz75 CVE-2022-23655 GHSA-53m6-44rc-h2q5
Affected version: <1.0.475|>=1.1.0,<1.1.11
Reported by:
GitHub -
[HIGH] Authenticated remote code execution in October CMS
PKSA-zpmz-wj2m-t91q CVE-2022-21705 GHSA-79jw-2f46-wv22
Affected version: >=2.0.0,<2.1.27|>=1.1.0,<1.1.10|<1.0.474
Reported by:
GitHub -
[HIGH] october/system arbitrary code execution
PKSA-v82s-kwcn-dh7q CVE-2021-32650 GHSA-5hfj-r725-wpc4
Affected version: <1.0.473|>=1.1.0,<1.1.6
Reported by:
GitHub -
[HIGH] October/System authenticated file write leads to remote code execution
PKSA-m6wq-j1hd-zj67 CVE-2021-32649 GHSA-wv23-pfj7-2mjj
Affected version: <1.0.473|>=1.1.0,<1.1.6
Reported by:
GitHub -
[HIGH] Deleted Admin Can Sign In to Admin Interface
PKSA-ygz3-dmrq-fzm6 CVE-2021-41126 GHSA-6gjf-7w99-j7x7
Affected version: >=2.1.0,<2.1.12
Reported by:
GitHub -
[HIGH] October CMS auth bypass and account takeover
PKSA-5jr1-315n-phgp CVE-2021-29487 GHSA-h76r-vgf3-j6w5
Affected version: >=1.1.1,<1.1.5|<1.0.472
Reported by:
GitHub -
[HIGH] Account Takeover in Octobercms
PKSA-s6tk-gzy5-p91g CVE-2021-32648 GHSA-mxr5-mc97-63rc
Affected version: >=1.1.1,<1.1.5|<1.0.472
Reported by:
GitHub -
[MEDIUM] Use of insecure jQuery version in OctoberCMS
PKSA-xy3n-kyy6-rp8s GHSA-v73w-r9xg-7cr9
Affected version: >=1.0.319,<1.0.466
Reported by:
GitHub