Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/october/system@1.0.375
Typecomposer
Namespaceoctober
Namesystem
Version1.0.375
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-1b4g-vts2-akgy
vulnerability_id VCID-1b4g-vts2-akgy
summary October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24800
reference_id
reference_type
scores
0
value 0.02925
scoring_system epss
scoring_elements 0.86714
published_at 2026-06-11T12:55:00Z
1
value 0.02925
scoring_system epss
scoring_elements 0.8677
published_at 2026-06-14T12:55:00Z
2
value 0.02925
scoring_system epss
scoring_elements 0.86763
published_at 2026-06-12T12:55:00Z
3
value 0.02925
scoring_system epss
scoring_elements 0.86773
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24800
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24800
reference_id CVE-2022-24800
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24800
3
reference_url https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83
reference_id fe569f3babf3f593be2b1e0a4ae0283506127a83
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/
url https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83
4
reference_url https://github.com/advisories/GHSA-8v7h-cpc2-r8jp
reference_id GHSA-8v7h-cpc2-r8jp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8v7h-cpc2-r8jp
5
reference_url https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp
reference_id GHSA-8v7h-cpc2-r8jp
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/
url https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp
fixed_packages
0
url pkg:composer/october/system@1.0.476
purl pkg:composer/october/system@1.0.476
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3df2-mmnc-m7fg
1
vulnerability VCID-9juu-t4f1-rkb6
2
vulnerability VCID-epkg-8qq2-9fa3
3
vulnerability VCID-erbs-pnr9-e7eg
4
vulnerability VCID-fs6h-a1dq-n7av
5
vulnerability VCID-vhhm-2rbj-kqgg
6
vulnerability VCID-wz9u-6vry-yuhb
7
vulnerability VCID-xevy-axzn-n7g1
8
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.476
1
url pkg:composer/october/system@1.1.12
purl pkg:composer/october/system@1.1.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3df2-mmnc-m7fg
1
vulnerability VCID-9juu-t4f1-rkb6
2
vulnerability VCID-epkg-8qq2-9fa3
3
vulnerability VCID-erbs-pnr9-e7eg
4
vulnerability VCID-fs6h-a1dq-n7av
5
vulnerability VCID-vhhm-2rbj-kqgg
6
vulnerability VCID-wz9u-6vry-yuhb
7
vulnerability VCID-xevy-axzn-n7g1
8
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.12
2
url pkg:composer/october/system@2.2.15
purl pkg:composer/october/system@2.2.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@2.2.15
aliases CVE-2022-24800, GHSA-8v7h-cpc2-r8jp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1b4g-vts2-akgy
1
url VCID-3df2-mmnc-m7fg
vulnerability_id VCID-3df2-mmnc-m7fg
summary October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24907
reference_id
reference_type
scores
0
value 0.00037
scoring_system epss
scoring_elements 0.11436
published_at 2026-06-12T12:55:00Z
1
value 0.00037
scoring_system epss
scoring_elements 0.11362
published_at 2026-06-11T12:55:00Z
2
value 0.00037
scoring_system epss
scoring_elements 0.11397
published_at 2026-06-14T12:55:00Z
3
value 0.00037
scoring_system epss
scoring_elements 0.11429
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24907
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24907
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24907
3
reference_url https://github.com/advisories/GHSA-j4j5-9x6g-rgxc
reference_id GHSA-j4j5-9x6g-rgxc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j4j5-9x6g-rgxc
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc
reference_id GHSA-j4j5-9x6g-rgxc
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T19:29:36Z/
url https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc
fixed_packages
0
url pkg:composer/october/system@3.7.14
purl pkg:composer/october/system@3.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14
1
url pkg:composer/october/system@4.1.10
purl pkg:composer/october/system@4.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10
aliases CVE-2026-24907, GHSA-j4j5-9x6g-rgxc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3df2-mmnc-m7fg
2
url VCID-3yyx-eyk9-affj
vulnerability_id VCID-3yyx-eyk9-affj
summary octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32648
reference_id
reference_type
scores
0
value 0.93036
scoring_system epss
scoring_elements 0.99793
published_at 2026-06-13T12:55:00Z
1
value 0.93036
scoring_system epss
scoring_elements 0.99794
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32648
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32648
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32648
3
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648
4
reference_url https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374
reference_id 016a297b1bec55d2e53bc889458ed2cb5c3e9374
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-06T19:37:19Z/
url https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374
5
reference_url https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9
reference_id 5bd1a28140b825baebe6becd4f7562299d3de3b9
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H
1
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-06T19:37:19Z/
url https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9
6
reference_url https://github.com/advisories/GHSA-mxr5-mc97-63rc
reference_id GHSA-mxr5-mc97-63rc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mxr5-mc97-63rc
7
reference_url https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc
reference_id GHSA-mxr5-mc97-63rc
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-02-06T19:37:19Z/
url https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc
fixed_packages
0
url pkg:composer/october/system@1.0.472
purl pkg:composer/october/system@1.0.472
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-95f4-rugd-3bcj
4
vulnerability VCID-9juu-t4f1-rkb6
5
vulnerability VCID-bjzw-dghn-bkh5
6
vulnerability VCID-bkpy-2t48-q7d3
7
vulnerability VCID-epkg-8qq2-9fa3
8
vulnerability VCID-erbs-pnr9-e7eg
9
vulnerability VCID-fs6h-a1dq-n7av
10
vulnerability VCID-vhhm-2rbj-kqgg
11
vulnerability VCID-wz9u-6vry-yuhb
12
vulnerability VCID-xevy-axzn-n7g1
13
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.472
1
url pkg:composer/october/system@1.1.5
purl pkg:composer/october/system@1.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-95f4-rugd-3bcj
4
vulnerability VCID-9juu-t4f1-rkb6
5
vulnerability VCID-bjzw-dghn-bkh5
6
vulnerability VCID-bkpy-2t48-q7d3
7
vulnerability VCID-epkg-8qq2-9fa3
8
vulnerability VCID-erbs-pnr9-e7eg
9
vulnerability VCID-fs6h-a1dq-n7av
10
vulnerability VCID-vhhm-2rbj-kqgg
11
vulnerability VCID-wz9u-6vry-yuhb
12
vulnerability VCID-xevy-axzn-n7g1
13
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.5
aliases CVE-2021-32648, GHSA-mxr5-mc97-63rc
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3yyx-eyk9-affj
3
url VCID-5f35-gkfm-ukbz
vulnerability_id VCID-5f35-gkfm-ukbz
summary Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23655
reference_id
reference_type
scores
0
value 0.00142
scoring_system epss
scoring_elements 0.34291
published_at 2026-06-14T12:55:00Z
1
value 0.00142
scoring_system epss
scoring_elements 0.34286
published_at 2026-06-12T12:55:00Z
2
value 0.00142
scoring_system epss
scoring_elements 0.34109
published_at 2026-06-11T12:55:00Z
3
value 0.00142
scoring_system epss
scoring_elements 0.34311
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23655
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23655
reference_id CVE-2022-23655
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23655
3
reference_url https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a
reference_id e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/
url https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a
4
reference_url https://github.com/advisories/GHSA-53m6-44rc-h2q5
reference_id GHSA-53m6-44rc-h2q5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-53m6-44rc-h2q5
5
reference_url https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5
reference_id GHSA-53m6-44rc-h2q5
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/
url https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5
fixed_packages
0
url pkg:composer/october/system@1.0.475
purl pkg:composer/october/system@1.0.475
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-9juu-t4f1-rkb6
3
vulnerability VCID-epkg-8qq2-9fa3
4
vulnerability VCID-erbs-pnr9-e7eg
5
vulnerability VCID-fs6h-a1dq-n7av
6
vulnerability VCID-vhhm-2rbj-kqgg
7
vulnerability VCID-wz9u-6vry-yuhb
8
vulnerability VCID-xevy-axzn-n7g1
9
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.475
1
url pkg:composer/october/system@1.1.11
purl pkg:composer/october/system@1.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-9juu-t4f1-rkb6
3
vulnerability VCID-epkg-8qq2-9fa3
4
vulnerability VCID-erbs-pnr9-e7eg
5
vulnerability VCID-fs6h-a1dq-n7av
6
vulnerability VCID-vhhm-2rbj-kqgg
7
vulnerability VCID-wz9u-6vry-yuhb
8
vulnerability VCID-xevy-axzn-n7g1
9
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.11
aliases CVE-2022-23655, GHSA-53m6-44rc-h2q5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5f35-gkfm-ukbz
4
url VCID-95f4-rugd-3bcj
vulnerability_id VCID-95f4-rugd-3bcj
summary Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-21705
reference_id
reference_type
scores
0
value 0.70336
scoring_system epss
scoring_elements 0.98712
published_at 2026-06-12T12:55:00Z
1
value 0.70336
scoring_system epss
scoring_elements 0.98714
published_at 2026-06-14T12:55:00Z
2
value 0.70336
scoring_system epss
scoring_elements 0.98713
published_at 2026-06-13T12:55:00Z
3
value 0.70336
scoring_system epss
scoring_elements 0.98707
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-21705
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe
reference_id c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:38Z/
url https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-21705
reference_id CVE-2022-21705
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-21705
4
reference_url https://github.com/advisories/GHSA-79jw-2f46-wv22
reference_id GHSA-79jw-2f46-wv22
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-79jw-2f46-wv22
5
reference_url https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22
reference_id GHSA-79jw-2f46-wv22
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:38Z/
url https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22
fixed_packages
0
url pkg:composer/october/system@1.0.474
purl pkg:composer/october/system@1.0.474
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-9juu-t4f1-rkb6
4
vulnerability VCID-epkg-8qq2-9fa3
5
vulnerability VCID-erbs-pnr9-e7eg
6
vulnerability VCID-fs6h-a1dq-n7av
7
vulnerability VCID-vhhm-2rbj-kqgg
8
vulnerability VCID-wz9u-6vry-yuhb
9
vulnerability VCID-xevy-axzn-n7g1
10
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.474
1
url pkg:composer/october/system@1.1.10
purl pkg:composer/october/system@1.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-9juu-t4f1-rkb6
4
vulnerability VCID-epkg-8qq2-9fa3
5
vulnerability VCID-erbs-pnr9-e7eg
6
vulnerability VCID-fs6h-a1dq-n7av
7
vulnerability VCID-vhhm-2rbj-kqgg
8
vulnerability VCID-wz9u-6vry-yuhb
9
vulnerability VCID-xevy-axzn-n7g1
10
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.10
2
url pkg:composer/october/system@2.1.27
purl pkg:composer/october/system@2.1.27
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@2.1.27
aliases CVE-2022-21705, GHSA-79jw-2f46-wv22
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-95f4-rugd-3bcj
5
url VCID-9juu-t4f1-rkb6
vulnerability_id VCID-9juu-t4f1-rkb6
summary October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29179
reference_id
reference_type
scores
0
value 0.00033
scoring_system epss
scoring_elements 0.10244
published_at 2026-06-14T12:55:00Z
1
value 0.00033
scoring_system epss
scoring_elements 0.10203
published_at 2026-06-11T12:55:00Z
2
value 0.00033
scoring_system epss
scoring_elements 0.10258
published_at 2026-06-13T12:55:00Z
3
value 0.00033
scoring_system epss
scoring_elements 0.10252
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29179
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29179
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29179
3
reference_url https://github.com/advisories/GHSA-jvwg-phxx-j3rp
reference_id GHSA-jvwg-phxx-j3rp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jvwg-phxx-j3rp
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp
reference_id GHSA-jvwg-phxx-j3rp
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:46:35Z/
url https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp
fixed_packages
0
url pkg:composer/october/system@3.7.16
purl pkg:composer/october/system@3.7.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.16
1
url pkg:composer/october/system@4.1.16
purl pkg:composer/october/system@4.1.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.16
aliases CVE-2026-29179, GHSA-jvwg-phxx-j3rp
risk_score 1.5
exploitability 0.5
weighted_severity 3.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9juu-t4f1-rkb6
6
url VCID-bjzw-dghn-bkh5
vulnerability_id VCID-bjzw-dghn-bkh5
summary October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup. The issue has been patched in Build 473 (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their installation manually as a workaround.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32649
reference_id
reference_type
scores
0
value 0.005
scoring_system epss
scoring_elements 0.66515
published_at 2026-06-12T12:55:00Z
1
value 0.005
scoring_system epss
scoring_elements 0.66527
published_at 2026-06-14T12:55:00Z
2
value 0.005
scoring_system epss
scoring_elements 0.66529
published_at 2026-06-13T12:55:00Z
3
value 0.005
scoring_system epss
scoring_elements 0.66422
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32649
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26
reference_id 167b592eed291ae1563c8fcc5b9b34a03a300f26
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:56:55Z/
url https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32649
reference_id CVE-2021-32649
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32649
4
reference_url https://github.com/advisories/GHSA-wv23-pfj7-2mjj
reference_id GHSA-wv23-pfj7-2mjj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wv23-pfj7-2mjj
5
reference_url https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj
reference_id GHSA-wv23-pfj7-2mjj
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:56:55Z/
url https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj
fixed_packages
0
url pkg:composer/october/system@1.0.473
purl pkg:composer/october/system@1.0.473
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-95f4-rugd-3bcj
4
vulnerability VCID-9juu-t4f1-rkb6
5
vulnerability VCID-epkg-8qq2-9fa3
6
vulnerability VCID-erbs-pnr9-e7eg
7
vulnerability VCID-fs6h-a1dq-n7av
8
vulnerability VCID-vhhm-2rbj-kqgg
9
vulnerability VCID-wz9u-6vry-yuhb
10
vulnerability VCID-xevy-axzn-n7g1
11
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.473
1
url pkg:composer/october/system@1.1.6
purl pkg:composer/october/system@1.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-95f4-rugd-3bcj
4
vulnerability VCID-9juu-t4f1-rkb6
5
vulnerability VCID-epkg-8qq2-9fa3
6
vulnerability VCID-erbs-pnr9-e7eg
7
vulnerability VCID-fs6h-a1dq-n7av
8
vulnerability VCID-vhhm-2rbj-kqgg
9
vulnerability VCID-wz9u-6vry-yuhb
10
vulnerability VCID-xevy-axzn-n7g1
11
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.6
aliases CVE-2021-32649, GHSA-wv23-pfj7-2mjj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bjzw-dghn-bkh5
7
url VCID-bkpy-2t48-q7d3
vulnerability_id VCID-bkpy-2t48-q7d3
summary October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents PHP execution in the CMS templates.The issue has been patched in Build 473 (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their installation manually as a workaround.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32650
reference_id
reference_type
scores
0
value 0.01086
scoring_system epss
scoring_elements 0.7839
published_at 2026-06-14T12:55:00Z
1
value 0.01086
scoring_system epss
scoring_elements 0.78312
published_at 2026-06-11T12:55:00Z
2
value 0.01086
scoring_system epss
scoring_elements 0.78393
published_at 2026-06-13T12:55:00Z
3
value 0.01086
scoring_system epss
scoring_elements 0.7838
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32650
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26
reference_id 167b592eed291ae1563c8fcc5b9b34a03a300f26
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:24Z/
url https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32650
reference_id CVE-2021-32650
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32650
4
reference_url https://github.com/advisories/GHSA-5hfj-r725-wpc4
reference_id GHSA-5hfj-r725-wpc4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5hfj-r725-wpc4
5
reference_url https://github.com/octobercms/october/security/advisories/GHSA-5hfj-r725-wpc4
reference_id GHSA-5hfj-r725-wpc4
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:45:24Z/
url https://github.com/octobercms/october/security/advisories/GHSA-5hfj-r725-wpc4
fixed_packages
0
url pkg:composer/october/system@1.0.473
purl pkg:composer/october/system@1.0.473
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-95f4-rugd-3bcj
4
vulnerability VCID-9juu-t4f1-rkb6
5
vulnerability VCID-epkg-8qq2-9fa3
6
vulnerability VCID-erbs-pnr9-e7eg
7
vulnerability VCID-fs6h-a1dq-n7av
8
vulnerability VCID-vhhm-2rbj-kqgg
9
vulnerability VCID-wz9u-6vry-yuhb
10
vulnerability VCID-xevy-axzn-n7g1
11
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.473
1
url pkg:composer/october/system@1.1.6
purl pkg:composer/october/system@1.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-95f4-rugd-3bcj
4
vulnerability VCID-9juu-t4f1-rkb6
5
vulnerability VCID-epkg-8qq2-9fa3
6
vulnerability VCID-erbs-pnr9-e7eg
7
vulnerability VCID-fs6h-a1dq-n7av
8
vulnerability VCID-vhhm-2rbj-kqgg
9
vulnerability VCID-wz9u-6vry-yuhb
10
vulnerability VCID-xevy-axzn-n7g1
11
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.6
aliases CVE-2021-32650, GHSA-5hfj-r725-wpc4
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bkpy-2t48-q7d3
8
url VCID-epkg-8qq2-9fa3
vulnerability_id VCID-epkg-8qq2-9fa3
summary October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27937
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.11089
published_at 2026-06-14T12:55:00Z
1
value 0.00036
scoring_system epss
scoring_elements 0.11061
published_at 2026-06-11T12:55:00Z
2
value 0.00036
scoring_system epss
scoring_elements 0.11121
published_at 2026-06-13T12:55:00Z
3
value 0.00036
scoring_system epss
scoring_elements 0.11127
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27937
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27937
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27937
3
reference_url https://github.com/advisories/GHSA-jj38-h5w5-mvpf
reference_id GHSA-jj38-h5w5-mvpf
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jj38-h5w5-mvpf
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf
reference_id GHSA-jj38-h5w5-mvpf
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T20:27:38Z/
url https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf
fixed_packages
0
url pkg:composer/october/system@3.7.16
purl pkg:composer/october/system@3.7.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.16
1
url pkg:composer/october/system@4.1.16
purl pkg:composer/october/system@4.1.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.16
aliases CVE-2026-27937, GHSA-jj38-h5w5-mvpf
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-epkg-8qq2-9fa3
9
url VCID-erbs-pnr9-e7eg
vulnerability_id VCID-erbs-pnr9-e7eg
summary October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61676
reference_id
reference_type
scores
0
value 0.00026
scoring_system epss
scoring_elements 0.0772
published_at 2026-06-12T12:55:00Z
1
value 0.00026
scoring_system epss
scoring_elements 0.07708
published_at 2026-06-14T12:55:00Z
2
value 0.00026
scoring_system epss
scoring_elements 0.07714
published_at 2026-06-13T12:55:00Z
3
value 0.00026
scoring_system epss
scoring_elements 0.07684
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61676
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61676
reference_id CVE-2025-61676
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61676
3
reference_url https://github.com/advisories/GHSA-wvpq-h33f-8rp6
reference_id GHSA-wvpq-h33f-8rp6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wvpq-h33f-8rp6
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6
reference_id GHSA-wvpq-h33f-8rp6
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:34:07Z/
url https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6
fixed_packages
0
url pkg:composer/october/system@3.7.13
purl pkg:composer/october/system@3.7.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3df2-mmnc-m7fg
1
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.13
1
url pkg:composer/october/system@4.0.12
purl pkg:composer/october/system@4.0.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.0.12
aliases CVE-2025-61676, GHSA-wvpq-h33f-8rp6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-erbs-pnr9-e7eg
10
url VCID-fs6h-a1dq-n7av
vulnerability_id VCID-fs6h-a1dq-n7av
summary October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26067
reference_id
reference_type
scores
0
value 0.00054
scoring_system epss
scoring_elements 0.17278
published_at 2026-06-12T12:55:00Z
1
value 0.00054
scoring_system epss
scoring_elements 0.17267
published_at 2026-06-14T12:55:00Z
2
value 0.00054
scoring_system epss
scoring_elements 0.17117
published_at 2026-06-11T12:55:00Z
3
value 0.00054
scoring_system epss
scoring_elements 0.17294
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26067
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26067
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26067
3
reference_url https://github.com/advisories/GHSA-3888-q23f-x7qh
reference_id GHSA-3888-q23f-x7qh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3888-q23f-x7qh
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh
reference_id GHSA-3888-q23f-x7qh
reference_type
scores
0
value 4.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:35:10Z/
url https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh
fixed_packages
0
url pkg:composer/october/system@3.7.14
purl pkg:composer/october/system@3.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14
1
url pkg:composer/october/system@4.1.10
purl pkg:composer/october/system@4.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10
aliases CVE-2026-26067, GHSA-3888-q23f-x7qh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fs6h-a1dq-n7av
11
url VCID-pvc8-z6uw-1yan
vulnerability_id VCID-pvc8-z6uw-1yan
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-29487
reference_id
reference_type
scores
0
value 0.00503
scoring_system epss
scoring_elements 0.66554
published_at 2026-06-11T12:55:00Z
1
value 0.00503
scoring_system epss
scoring_elements 0.66647
published_at 2026-06-12T12:55:00Z
2
value 0.00503
scoring_system epss
scoring_elements 0.6666
published_at 2026-06-13T12:55:00Z
3
value 0.00503
scoring_system epss
scoring_elements 0.66659
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-29487
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-29487
reference_id
reference_type
scores
0
value 7.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-29487
4
reference_url https://github.com/advisories/GHSA-h76r-vgf3-j6w5
reference_id GHSA-h76r-vgf3-j6w5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h76r-vgf3-j6w5
fixed_packages
0
url pkg:composer/october/system@1.0.472
purl pkg:composer/october/system@1.0.472
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-95f4-rugd-3bcj
4
vulnerability VCID-9juu-t4f1-rkb6
5
vulnerability VCID-bjzw-dghn-bkh5
6
vulnerability VCID-bkpy-2t48-q7d3
7
vulnerability VCID-epkg-8qq2-9fa3
8
vulnerability VCID-erbs-pnr9-e7eg
9
vulnerability VCID-fs6h-a1dq-n7av
10
vulnerability VCID-vhhm-2rbj-kqgg
11
vulnerability VCID-wz9u-6vry-yuhb
12
vulnerability VCID-xevy-axzn-n7g1
13
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.472
1
url pkg:composer/october/system@1.1.5
purl pkg:composer/october/system@1.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-5f35-gkfm-ukbz
3
vulnerability VCID-95f4-rugd-3bcj
4
vulnerability VCID-9juu-t4f1-rkb6
5
vulnerability VCID-bjzw-dghn-bkh5
6
vulnerability VCID-bkpy-2t48-q7d3
7
vulnerability VCID-epkg-8qq2-9fa3
8
vulnerability VCID-erbs-pnr9-e7eg
9
vulnerability VCID-fs6h-a1dq-n7av
10
vulnerability VCID-vhhm-2rbj-kqgg
11
vulnerability VCID-wz9u-6vry-yuhb
12
vulnerability VCID-xevy-axzn-n7g1
13
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.5
aliases CVE-2021-29487, GHSA-h76r-vgf3-j6w5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pvc8-z6uw-1yan
12
url VCID-vhhm-2rbj-kqgg
vulnerability_id VCID-vhhm-2rbj-kqgg
summary October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61674
reference_id
reference_type
scores
0
value 0.00026
scoring_system epss
scoring_elements 0.07684
published_at 2026-06-11T12:55:00Z
1
value 0.00026
scoring_system epss
scoring_elements 0.07708
published_at 2026-06-14T12:55:00Z
2
value 0.00026
scoring_system epss
scoring_elements 0.07714
published_at 2026-06-13T12:55:00Z
3
value 0.00026
scoring_system epss
scoring_elements 0.0772
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61674
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61674
reference_id CVE-2025-61674
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61674
3
reference_url https://github.com/advisories/GHSA-gxxc-m74c-f48x
reference_id GHSA-gxxc-m74c-f48x
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gxxc-m74c-f48x
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x
reference_id GHSA-gxxc-m74c-f48x
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:33:26Z/
url https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x
fixed_packages
0
url pkg:composer/october/system@3.7.13
purl pkg:composer/october/system@3.7.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3df2-mmnc-m7fg
1
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.13
1
url pkg:composer/october/system@4.0.12
purl pkg:composer/october/system@4.0.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.0.12
aliases CVE-2025-61674, GHSA-gxxc-m74c-f48x
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vhhm-2rbj-kqgg
13
url VCID-wyg6-vfje-3ugx
vulnerability_id VCID-wyg6-vfje-3ugx
summary Use of insecure jQuery version in OctoberCMS
references
0
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
1
reference_url https://github.com/octobercms/october/commit/5c7ba9fbe9f2b596b2f0e3436ee06b91b97e5892
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/commit/5c7ba9fbe9f2b596b2f0e3436ee06b91b97e5892
2
reference_url https://github.com/octobercms/october/issues/5097
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/issues/5097
3
reference_url https://github.com/advisories/GHSA-v73w-r9xg-7cr9
reference_id GHSA-v73w-r9xg-7cr9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v73w-r9xg-7cr9
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-v73w-r9xg-7cr9
reference_id GHSA-v73w-r9xg-7cr9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/security/advisories/GHSA-v73w-r9xg-7cr9
fixed_packages
0
url pkg:composer/october/system@1.0.466
purl pkg:composer/october/system@1.0.466
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1b4g-vts2-akgy
1
vulnerability VCID-3df2-mmnc-m7fg
2
vulnerability VCID-3yyx-eyk9-affj
3
vulnerability VCID-5f35-gkfm-ukbz
4
vulnerability VCID-95f4-rugd-3bcj
5
vulnerability VCID-9juu-t4f1-rkb6
6
vulnerability VCID-bjzw-dghn-bkh5
7
vulnerability VCID-bkpy-2t48-q7d3
8
vulnerability VCID-epkg-8qq2-9fa3
9
vulnerability VCID-erbs-pnr9-e7eg
10
vulnerability VCID-fs6h-a1dq-n7av
11
vulnerability VCID-pvc8-z6uw-1yan
12
vulnerability VCID-vhhm-2rbj-kqgg
13
vulnerability VCID-wz9u-6vry-yuhb
14
vulnerability VCID-xevy-axzn-n7g1
15
vulnerability VCID-yuk8-p75s-dugm
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.466
aliases GHSA-v73w-r9xg-7cr9, GMS-2020-570, GMS-2020-582
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wyg6-vfje-3ugx
14
url VCID-wz9u-6vry-yuhb
vulnerability_id VCID-wz9u-6vry-yuhb
summary October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension. This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user. This issue has been patched in v3.7.5.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-51991
reference_id
reference_type
scores
0
value 0.00109
scoring_system epss
scoring_elements 0.29042
published_at 2026-06-13T12:55:00Z
1
value 0.00117
scoring_system epss
scoring_elements 0.30327
published_at 2026-06-14T12:55:00Z
2
value 0.00313
scoring_system epss
scoring_elements 0.54968
published_at 2026-06-12T12:55:00Z
3
value 0.00313
scoring_system epss
scoring_elements 0.54846
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-51991
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 1.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-51991
reference_id
reference_type
scores
0
value 1.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-51991
3
reference_url https://github.com/advisories/GHSA-96hh-8hx5-cpw7
reference_id GHSA-96hh-8hx5-cpw7
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-96hh-8hx5-cpw7
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7
reference_id GHSA-96hh-8hx5-cpw7
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-05T18:06:02Z/
url https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7
fixed_packages
0
url pkg:composer/october/system@3.7.5
purl pkg:composer/october/system@3.7.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.5
aliases CVE-2024-51991, GHSA-96hh-8hx5-cpw7
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wz9u-6vry-yuhb
15
url VCID-xevy-axzn-n7g1
vulnerability_id VCID-xevy-axzn-n7g1
summary October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-35944
reference_id
reference_type
scores
0
value 0.00532
scoring_system epss
scoring_elements 0.67721
published_at 2026-06-11T12:55:00Z
1
value 0.00532
scoring_system epss
scoring_elements 0.6782
published_at 2026-06-14T12:55:00Z
2
value 0.00532
scoring_system epss
scoring_elements 0.67823
published_at 2026-06-13T12:55:00Z
3
value 0.00532
scoring_system epss
scoring_elements 0.6781
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-35944
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-35944
reference_id CVE-2022-35944
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-35944
3
reference_url https://github.com/advisories/GHSA-x4q7-m6fp-4v9v
reference_id GHSA-x4q7-m6fp-4v9v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x4q7-m6fp-4v9v
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v
reference_id GHSA-x4q7-m6fp-4v9v
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:47:57Z/
url https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v
fixed_packages
0
url pkg:composer/october/system@2.2.34
purl pkg:composer/october/system@2.2.34
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@2.2.34
1
url pkg:composer/october/system@3.0.66
purl pkg:composer/october/system@3.0.66
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.0.66
aliases CVE-2022-35944, GHSA-x4q7-m6fp-4v9v
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xevy-axzn-n7g1
16
url VCID-yuk8-p75s-dugm
vulnerability_id VCID-yuk8-p75s-dugm
summary October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-24906
reference_id
reference_type
scores
0
value 0.00012
scoring_system epss
scoring_elements 0.01913
published_at 2026-06-13T12:55:00Z
1
value 0.00012
scoring_system epss
scoring_elements 0.01922
published_at 2026-06-14T12:55:00Z
2
value 0.00012
scoring_system epss
scoring_elements 0.01907
published_at 2026-06-11T12:55:00Z
3
value 0.00012
scoring_system epss
scoring_elements 0.01911
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-24906
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24906
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-24906
3
reference_url https://github.com/advisories/GHSA-6qmh-j78v-ffp7
reference_id GHSA-6qmh-j78v-ffp7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6qmh-j78v-ffp7
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7
reference_id GHSA-6qmh-j78v-ffp7
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
3
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:45:53Z/
url https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7
fixed_packages
0
url pkg:composer/october/system@3.7.14
purl pkg:composer/october/system@3.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14
1
url pkg:composer/october/system@4.1.10
purl pkg:composer/october/system@4.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10
aliases CVE-2026-24906, GHSA-6qmh-j78v-ffp7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yuk8-p75s-dugm
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.375