Main Vulnerability Database Vulnerabilities #VU125887

#VU125887 Cross-site scripting in October CMS - CVE-2025-61674

Published: April 14, 2026

Vulnerability identifier: #VU125887

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-61674

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
October CMS

Software vendor:
OctoberCMS

Description

The vulnerability allows a remote user to execute arbitrary script in backend user sessions.

The vulnerability exists due to cross-site scripting in backend configuration forms when processing editor settings markup styles input. A remote privileged user can inject malicious HTML or JavaScript into the stylesheet input to execute arbitrary script in backend user sessions.

User interaction is required, and the injected script can affect backend pages viewed by other users.

Remediation

Install security update from vendor's website.

External links

https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x

#VU125887 Cross-site scripting in October CMS - CVE-2025-61674

Description

Remediation

External links

Please verify you're human