VYPR

Packagist (Composer) package

october/rain

pkg:composer/october/rain

Vulnerabilities (6)

  • CVE-2026-25133MedApr 14, 2026
    affected >= 4.0.0, < 4.1.10fixed 4.1.10

    October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could b

  • CVE-2026-25125MedApr 14, 2026
    affected >= 4.0.0, < 4.1.10fixed 4.1.10

    October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpo

  • CVE-2026-22692MedApr 14, 2026
    affected >= 4.0.0, < 4.1.5fixed 4.1.5

    October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restri

  • CVE-2021-3311Feb 5, 2021
    affected < 1.0.472fixed 1.0.472

    An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID

  • CVE-2020-15128Jul 31, 2020
    affected >= 1.0.319, < 1.0.468fixed 1.0.468

    In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core pr

  • CVE-2017-15284MedOct 12, 2017
    affected < 1.0.426fixed 1.0.426

    Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.