CVE-2025-61674

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-61674

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61674.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-61674

Aliases

GHSA-gxxc-m74c-f48x

Published

2026-01-10T03:14:11.185Z

Modified

2026-03-13T03:40:23.254298Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

October CMS Vulnerable to Stored XSS via Editor and Branding Styles

Details

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61674.json"
}

References

Affected packages

Git / github.com/octobercms/october

Affected ranges

Type

GIT

Repo

https://github.com/octobercms/october

Events

Introduced

Fixed

6130d6d694f535340b2c58db29702cbcd6eb29a4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.7.13"
        }
    ]
}

Affected versions

v1.*

v1.0.319

v1.0.320

v1.0.321

v1.0.322

v1.0.323

v1.0.324

v1.0.325

v1.0.326

v1.0.327

v1.0.328

v1.0.329

v1.0.330

v1.0.331

v1.0.332

v1.0.333

v1.0.334

v1.0.335

v1.0.336

v1.0.337

v1.0.338

v1.0.339

v1.0.340

v1.0.341

v1.0.342

v1.0.343

v1.0.344

v1.0.345

v1.0.346

v1.0.347

v1.0.348

v1.0.349

v1.0.350

v1.0.351

v1.0.352

v1.0.353

v1.0.354

v1.0.355

v1.0.356

v1.0.357

v1.0.358

v1.0.359

v1.0.360

v1.0.361

v1.0.362

v1.0.363

v1.0.364

v1.0.365

v1.0.366

v1.0.367

v1.0.368

v1.0.369

v1.0.370

v1.0.371

v1.0.372

v1.0.373

v1.0.374

v1.0.375

v1.0.376

v1.0.377

v1.0.378

v1.0.379

v1.0.380

v1.0.381

v1.0.382

v1.0.383

v1.0.384

v1.0.385

v1.0.386

v1.0.387

v1.0.388

v1.0.389

v1.0.390

v1.0.391

v1.0.392

v1.0.393

v1.0.394

v1.0.395

v1.0.396

v1.0.397

v1.0.398

v1.0.399

v1.0.400

v1.0.401

v1.0.402

v1.0.403

v1.0.404

v1.0.405

v1.0.406

v1.0.407

v1.0.408

v1.0.409

v1.0.410

v1.0.411

v1.0.412

v1.0.413

v1.0.414

v1.0.415

v1.0.416

v1.0.417

v1.0.418

v1.0.419

v1.0.420

v1.0.421

v1.0.422

v1.0.423

v1.0.424

v1.0.425

v1.0.426

v1.0.427

v1.0.428

v1.0.429

v1.0.430

v1.0.431

v1.0.432

v1.0.433

v1.0.434

v1.0.435

v1.0.436

v1.0.437

v1.0.438

v1.0.439

v1.0.440

v1.0.441

v1.0.442

v1.0.443

v1.0.444

v1.0.445

v1.0.446

v1.0.447

v1.0.448

v1.0.449

v1.0.450

v1.0.451

v1.0.452

v1.0.453

v1.0.454

v1.0.455

v1.0.456

v1.0.457

v1.0.458

v1.0.459

v1.0.460

v1.0.461

v1.0.462

v1.0.463

v1.0.464

v1.0.465

v1.0.466

v1.0.467

v1.0.468

v1.0.469

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v2.*

v2.0.0

v2.0.10

v2.0.13

v2.0.14

v2.0.15

v2.0.16

v2.0.27

v2.0.29

v2.0.3

v2.1.0

v2.1.10

v2.1.12

v2.1.16

v2.1.20

v2.1.21

v2.1.22

v2.1.23

v2.1.24

v2.1.25

v2.1.26

v2.1.27

v2.1.3

v2.1.5

v2.1.6

v2.1.8

v3.*

v3.0.0

v3.0.10

v3.0.17

v3.0.2

v3.0.22

v3.0.40

v3.0.42

v3.0.45

v3.0.46

v3.0.56

v3.0.6

v3.0.61

v3.0.62

v3.0.7

v3.0.74

v3.0.9

v3.1.0

v3.1.1

v3.1.12

v3.1.14

v3.1.22

v3.1.26

v3.2.0

v3.2.11

v3.3.0

v3.3.11

v3.3.3

v3.3.7

v3.3.9

v3.4.0

v3.4.1

v3.4.10

v3.4.14

v3.4.6

v3.4.9

v3.5.0

v3.5.1

v3.5.2

v3.5.4

v3.5.7

v3.5.8

v3.6.0

v3.6.1

v3.6.4

v3.7.0

v3.7.10

v3.7.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61674.json"