Moderate severityOSV Advisory· Published Jan 10, 2026· Updated Jan 12, 2026
October CMS Vulnerable to Stored XSS via Branding Styles
CVE-2025-61676
Description
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/systemPackagist | < 3.7.13 | 3.7.13 |
october/systemPackagist | >= 4.0.0, < 4.0.12 | 4.0.12 |
Affected products
2- Range: v1.0.319, v1.0.320, v1.0.321, …
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-wvpq-h33f-8rp6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61676ghsaADVISORY
- github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.