SB2026041436 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2025-61676)

The vulnerability allows a remote user to execute arbitrary script in backend pages.

The vulnerability exists due to cross-site scripting in the branding and appearance styles input when processing stylesheet input in backend configuration forms. A remote privileged user can inject malicious HTML/JavaScript into the stylesheet field to execute arbitrary script in backend pages.

User interaction is required for a victim to view an affected backend page.

2) Cross-site scripting (CVE-ID: CVE-2025-61674)

The vulnerability allows a remote user to execute arbitrary script in backend user sessions.

The vulnerability exists due to cross-site scripting in backend configuration forms when processing editor settings markup styles input. A remote privileged user can inject malicious HTML or JavaScript into the stylesheet input to execute arbitrary script in backend user sessions.

User interaction is required, and the injected script can affect backend pages viewed by other users.

3) Improper access control (CVE-ID: CVE-2026-22692)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Twig safe mode sandbox when invoking certain methods on the collect() helper. A remote privileged user can use unrestricted collection methods to bypass sandbox protections and disclose sensitive information.

Only installations with CMS_SAFE_MODE enabled are vulnerable.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6
• https://github.com/advisories/GHSA-wvpq-h33f-8rp6
• https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x
• https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6