Main Vulnerability Database Vulnerabilities #VU125887

Cross-site scripting in October CMS - CVE-2025-61674

Published: April 14, 2026

Vulnerability identifier: #VU125887

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-61674

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OctoberCMS

Affected software:
October CMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in backend user sessions.

The vulnerability exists due to cross-site scripting in backend configuration forms when processing editor settings markup styles input. A remote privileged user can inject malicious HTML or JavaScript into the stylesheet input to execute arbitrary script in backend user sessions.

User interaction is required, and the injected script can affect backend pages viewed by other users.

How to mitigate CVE-2025-61674

Install security update from vendor's website.

Sources

https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x

Cross-site scripting in October CMS - CVE-2025-61674

Detailed vulnerability description

How to mitigate CVE-2025-61674

Sources

Please verify you're human