Moderate severityOSV Advisory· Published Jan 10, 2026· Updated Jan 12, 2026
October CMS Vulnerable to Stored XSS via Editor and Branding Styles
CVE-2025-61674
Description
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/systemPackagist | < 3.7.13 | 3.7.13 |
october/systemPackagist | >= 4.0.0, < 4.0.12 | 4.0.12 |
Affected products
2- Range: v1.0.319, v1.0.320, v1.0.321, …
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-gxxc-m74c-f48xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61674ghsaADVISORY
- github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.