CVE-2025-61674

MEDIUM EPSS 8.1%

Published Jan 10, 20265mo ago · Modified Jun 17, 20261w ago

4.8 CVSS 3.1

Medium

Published Jan 10, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.

CVSS Details

Base Score

4.8

Exploitability

1.7

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

8.1% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

Vendor	Product	Version	Range
octobercms	october	*	<3.17.3
octobercms	october	*	≥4.0.0 – <4.0.12

References 1

github.com https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x

PatchVendor Advisory

Remediation

github.com https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x

PatchVendor Advisory