SB2026041437 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-25133)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in the SVG sanitization logic when processing uploaded SVG files through the Media Manager. A remote user can upload a specially crafted SVG file to execute arbitrary script in a victim's browser.

User interaction is required because the uploaded SVG must be viewed or embedded in a page to trigger.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-ID: CVE-2026-25125)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in the INI settings parser when processing page settings fields containing environment variable interpolation syntax. A remote privileged user can inject crafted ${} patterns into CMS page settings fields to disclose sensitive information.

Only instances with cms.safe_mode enabled are affected.

3) Stored cross-site scripting (CVE-ID: CVE-2026-24906)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the backend editor markup classes fields when rendering stored markup class values in RichEditor dropdown menus. A remote user can inject a malicious markup class value to execute arbitrary script in a victim's browser.

Exploitation requires authenticated backend access with editor settings permissions and is triggered when a user opens a RichEditor.

4) Stored cross-site scripting (CVE-ID: CVE-2026-24907)

The vulnerability allows a remote user to execute arbitrary JavaScript in the viewer's browser context.

The vulnerability exists due to cross-site scripting in the Event Log mail preview feature when rendering logged mail messages. A remote user can create a malicious mail template content entry to execute arbitrary JavaScript in the viewer's browser context.

Exploitation requires authenticated backend access with mail template editing permissions, and user interaction is required when a superuser views the specific Event Log entry.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr
• https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg
• https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7
• https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc