Moderate severityOSV Advisory· Published Jan 10, 2026· Updated Jan 12, 2026
October CMS Vulnerable to Stored XSS via Branding Styles
CVE-2025-61676
Description
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/systemPackagist | < 3.7.13 | 3.7.13 |
october/systemPackagist | >= 4.0.0, < 4.0.12 | 4.0.12 |
Affected products
1- Range: v1.0.319, v1.0.320, v1.0.321, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wvpq-h33f-8rp6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61676ghsaADVISORY
- github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.