[MEDIUM] October CMS Vulnerable to Stored XSS via Branding Styles

PKSA-bbp3-wdjz-b51v CVE-2025-61676 GHSA-wvpq-h33f-8rp6

Affected version: >=4.0.0,<=4.0.11|<=3.7.12

Reported by:
GitHub

[MEDIUM] October CMS Vulnerable to Stored XSS via Editor and Branding Styles

PKSA-4qp4-vb8r-g3zj CVE-2025-61674 GHSA-gxxc-m74c-f48x

Affected version: >=4.0.0,<=4.0.11|<=3.7.12

Reported by:
GitHub

[LOW] October CMS Allows Unprotected SVG Rename in Media Manager

PKSA-q2z3-dfft-h9n9 CVE-2024-51991 GHSA-96hh-8hx5-cpw7

Affected version: <3.7.5

Reported by:
GitHub

[HIGH] October CMS upload process vulnerable to RCE via Race Condition

PKSA-yr75-7y9f-cxw9 CVE-2022-24800 GHSA-8v7h-cpc2-r8jp

Affected version: >=2.0.0,<2.2.15|>=1.1.0,<1.1.12|<1.0.476

Reported by:
GitHub

[MEDIUM] Missing server signature validation in OctoberCMS

PKSA-9y13-4h42-rz75 CVE-2022-23655 GHSA-53m6-44rc-h2q5

Affected version: <1.0.475|>=1.1.0,<1.1.11

Reported by:
GitHub

[HIGH] Authenticated remote code execution in October CMS

PKSA-zpmz-wj2m-t91q CVE-2022-21705 GHSA-79jw-2f46-wv22

Affected version: >=2.0.0,<2.1.27|>=1.1.0,<1.1.10|<1.0.474

Reported by:
GitHub