Moderate severityOSV Advisory· Published Jan 10, 2026· Updated Jan 12, 2026
October CMS Vulnerable to Stored XSS via Editor and Branding Styles
CVE-2025-61674
Description
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/systemPackagist | < 3.7.13 | 3.7.13 |
october/systemPackagist | >= 4.0.0, < 4.0.12 | 4.0.12 |
Affected products
1- Range: v1.0.319, v1.0.320, v1.0.321, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gxxc-m74c-f48xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61674ghsaADVISORY
- github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.