Medium severity4.8NVD Advisory· Published Apr 14, 2026· Updated Apr 23, 2026
CVE-2026-25133
CVE-2026-25133
Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/rainPackagist | >= 4.0.0, < 4.1.10 | 4.1.10 |
october/rainPackagist | < 3.7.14 | 3.7.14 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gcqv-f29m-67grghsaADVISORY
- github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67grnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-25133ghsaADVISORY
News mentions
50- Microsoft warns of Exchange zero-day flaw exploited in attacksBleepingComputer · May 15, 2026
- [Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)SANS Internet Storm Center · May 15, 2026
- Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal FreightBleepingComputer · May 14, 2026
- Chinese APTs Expand Targets, Update Backdoors in Recent CampaignsSecurityWeek · May 14, 2026
- Škoda warns of customer data breach after online shop hackBleepingComputer · May 12, 2026
- BWH Hotels Says Hackers Had Access to Reservation Data for 6 MonthsSecurityWeek · May 12, 2026
- cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager BackdoorThe Hacker News · May 11, 2026
- BWH Hotels guests warned after reservation data checks out with cybercrooksThe Register Security · May 11, 2026
- UK water company allowed hackers to lurk undetected for nearly two years, regulator findsThe Record · May 11, 2026
- TrickMo Android banker adopts TON blockchain for covert commsBleepingComputer · May 11, 2026
- Zara data breach exposed personal information of 197,000 peopleBleepingComputer · May 8, 2026
- iOS 26.5 RC 2 (23F77)Apple Security Releases · May 8, 2026
- iPadOS 26.5 RC 2 (23F77)Apple Security Releases · May 8, 2026
- Ivanti Patches EPMM Zero-Day Exploited in Targeted AttacksSecurityWeek · May 8, 2026
- ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New StoriesThe Hacker News · May 7, 2026
- MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware AttackThe Hacker News · May 6, 2026
- Romanian Man Extradited to US for Role in Hacking Scheme 17 Years AgoSecurityWeek · May 6, 2026
- Google's Android Apps Get Public Verification to Stop Supply Chain AttacksThe Hacker News · May 6, 2026
- Trellix Source Code Breach Highlights Growing Supply Chain ThreatsDark Reading · May 5, 2026
- China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across RegionsThe Hacker News · May 5, 2026
- ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and WindowsThe Hacker News · May 5, 2026
- ScarCruft hackers push BirdCall Android malware via game platformBleepingComputer · May 5, 2026
- North Korean hackers trojanize gaming platform to spy on ethnic Koreans in ChinaHelp Net Security · May 5, 2026
- A rigged game: ScarCruft compromises gaming platform in a supply-chain attackESET WeLiveSecurity · May 5, 2026
- iOS 18.7.9 (22H355)Apple Security Releases · May 4, 2026
- watchOS 26.5 RC (23T570)Apple Security Releases · May 4, 2026
- iOS 26.5 RC (23F75)Apple Security Releases · May 4, 2026
- visionOS 26.5 RC (23O471)Apple Security Releases · May 4, 2026
- tvOS 26.5 RC (23L471)Apple Security Releases · May 4, 2026
- macOS 26.5 RC (25F71)Apple Security Releases · May 4, 2026
- iPadOS 18.7.9 (22H355)Apple Security Releases · May 4, 2026
- iPadOS 26.5 RC (23F75)Apple Security Releases · May 4, 2026
- Xcode 26.5 RC (17F42)Apple Security Releases · May 4, 2026
- Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion AttacksThe Hacker News · May 1, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 18SentinelOne Labs · May 1, 2026
- Microsoft now lets admins choose pre-installed Store apps to uninstallBleepingComputer · May 1, 2026
- Hackers stole hundreds of thousands of Roblox accounts: Here’s what to doMalwarebytes Labs · Apr 30, 2026
- ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More StoriesThe Hacker News · Apr 30, 2026
- New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATsThe Hacker News · Apr 29, 2026
- Fresh Wave of GlassWorm VS Code Extensions Slices Through Supply ChainDark Reading · Apr 28, 2026
- Shutdowns, power outages, and conflict: a review of Q1 2026 Internet disruptionsCloudflare Blog · Apr 28, 2026
- Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege EscalationDark Reading · Apr 27, 2026
- PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian NetworksThe Hacker News · Apr 27, 2026
- Xcode 26.5 beta 3 (17F5032f)Apple Security Releases · Apr 27, 2026
- macOS 26.5 beta 4 (25F5068a)Apple Security Releases · Apr 27, 2026
- tvOS 26.5 beta 4 (23L5469a)Apple Security Releases · Apr 27, 2026
- visionOS 26.5 beta 4 (23O5468a)Apple Security Releases · Apr 27, 2026
- iPadOS 26.5 beta 4 (23F5069b)Apple Security Releases · Apr 27, 2026
- iOS 26.5 beta 4 (23F5069b)Apple Security Releases · Apr 27, 2026
- watchOS 26.5 beta 4 (23T5568a)Apple Security Releases · Apr 27, 2026