Packagist (Composer) package

october/system

pkg:composer/october/system

Vulnerabilities (22)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-29179	Low	3.3	>= 4.0.0, < 4.1.16	4.1.16	Apr 21, 2026	October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly gra
CVE-2026-27937	Low	3.1	< 3.7.16	3.7.16	Apr 21, 2026	October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability i
CVE-2026-26067	Med	4.9	< 3.7.14	3.7.14	Apr 21, 2026	October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files t
CVE-2026-24907	Med	5.4	>= 4.0.0, < 4.1.10	4.1.10	Apr 14, 2026	October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without pr
CVE-2026-24906	Med	5.4	>= 4.0.0, < 4.1.10	4.1.10	Apr 14, 2026	October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) di
CVE-2025-61674		—	< 3.7.13	3.7.13	Jan 10, 2026	October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/
CVE-2025-61676		—	< 3.7.13	3.7.13	Jan 10, 2026	October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious H
CVE-2024-51991		—	< 3.7.5	3.7.5	May 5, 2025	October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media
CVE-2024-25637		—	>= 3.2, < 3.5.15	3.5.15	Jun 26, 2024	October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal br
CVE-2024-24764		—	>= 3.2, < 3.5.15	3.5.15	Jun 26, 2024	October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (`october://`) allowed external links, th
CVE-2023-44381		—	>= 3.0.0, < 3.4.15	3.4.15	Dec 1, 2023	October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be e
CVE-2023-44382		—	>= 3.0.0, < 3.4.15	3.4.15	Dec 1, 2023	October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be e
CVE-2023-44383		—	>= 3.0.0, < 3.5.2	3.5.2	Nov 29, 2023	October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files
CVE-2022-35944		—	>= 2.0.0, < 2.2.34	2.2.34	Oct 13, 2022	October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has acce
CVE-2022-24800		—	< 1.0.476	1.0.476	Jul 12, 2022	October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user ca
CVE-2022-23655		—	>= 1.1.0, < 1.1.11	1.1.11	Feb 23, 2022	Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their i
CVE-2022-21705		—	< 1.0.474	1.0.474	Feb 23, 2022	Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass
CVE-2021-32649		—	>= 1.1.0, < 1.1.6	1.1.6	Jan 14, 2022	October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially cra
CVE-2021-32650		—	>= 1.1.0, < 1.1.6	1.1.6	Jan 14, 2022	October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feat
CVE-2021-41126		—	>= 2.1.0, < 2.1.12	2.1.12	Oct 6, 2021	October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2

CVE-2026-29179LowApr 21, 2026
affected >= 4.0.0, < 4.1.16fixed 4.1.16
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly gra
CVE-2026-27937LowApr 21, 2026
affected < 3.7.16fixed 3.7.16
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability i
CVE-2026-26067MedApr 21, 2026
affected < 3.7.14fixed 3.7.14
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files t
CVE-2026-24907MedApr 14, 2026
affected >= 4.0.0, < 4.1.10fixed 4.1.10
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without pr
CVE-2026-24906MedApr 14, 2026
affected >= 4.0.0, < 4.1.10fixed 4.1.10
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) di
CVE-2025-61674Jan 10, 2026
affected < 3.7.13fixed 3.7.13
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/
CVE-2025-61676Jan 10, 2026
affected < 3.7.13fixed 3.7.13
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious H
CVE-2024-51991May 5, 2025
affected < 3.7.5fixed 3.7.5
October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media
CVE-2024-25637Jun 26, 2024
affected >= 3.2, < 3.5.15fixed 3.5.15
October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal br
CVE-2024-24764Jun 26, 2024
affected >= 3.2, < 3.5.15fixed 3.5.15
October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (`october://`) allowed external links, th
CVE-2023-44381Dec 1, 2023
affected >= 3.0.0, < 3.4.15fixed 3.4.15
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be e
CVE-2023-44382Dec 1, 2023
affected >= 3.0.0, < 3.4.15fixed 3.4.15
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be e
CVE-2023-44383Nov 29, 2023
affected >= 3.0.0, < 3.5.2fixed 3.5.2
October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files
CVE-2022-35944Oct 13, 2022
affected >= 2.0.0, < 2.2.34fixed 2.2.34
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has acce
CVE-2022-24800Jul 12, 2022
affected < 1.0.476fixed 1.0.476
October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user ca
CVE-2022-23655Feb 23, 2022
affected >= 1.1.0, < 1.1.11fixed 1.1.11
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their i
CVE-2022-21705Feb 23, 2022
affected < 1.0.474fixed 1.0.474
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass
CVE-2021-32649Jan 14, 2022
affected >= 1.1.0, < 1.1.6fixed 1.1.6
October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially cra
CVE-2021-32650Jan 14, 2022
affected >= 1.1.0, < 1.1.6fixed 1.1.6
October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feat
CVE-2021-41126Oct 6, 2021
affected >= 2.1.0, < 2.1.12fixed 2.1.12
October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2

Page 1 of 2