{"url":"http://public2.vulnerablecode.io/api/packages/19500?format=json","purl":"pkg:composer/october/system@1.0.475","type":"composer","namespace":"october","name":"system","version":"1.0.475","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/173498?format=json","vulnerability_id":"VCID-1b4g-vts2-akgy","summary":"October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\\Rain\\Database\\Attach\\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24800","reference_id":"","reference_type":"","scores":[{"value":"0.02925","scoring_system":"epss","scoring_elements":"0.86763","published_at":"2026-06-12T12:55:00Z"},{"value":"0.02925","scoring_system":"epss","scoring_elements":"0.86714","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24800"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24800","reference_id":"CVE-2022-24800","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24800"},{"reference_url":"https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83","reference_id":"fe569f3babf3f593be2b1e0a4ae0283506127a83","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/"}],"url":"https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83"},{"reference_url":"https://github.com/advisories/GHSA-8v7h-cpc2-r8jp","reference_id":"GHSA-8v7h-cpc2-r8jp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8v7h-cpc2-r8jp"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp","reference_id":"GHSA-8v7h-cpc2-r8jp","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25318?format=json","purl":"pkg:composer/october/system@1.0.476","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3df2-mmnc-m7fg"},{"vulnerability":"VCID-9juu-t4f1-rkb6"},{"vulnerability":"VCID-epkg-8qq2-9fa3"},{"vulnerability":"VCID-erbs-pnr9-e7eg"},{"vulnerability":"VCID-fs6h-a1dq-n7av"},{"vulnerability":"VCID-vhhm-2rbj-kqgg"},{"vulnerability":"VCID-wz9u-6vry-yuhb"},{"vulnerability":"VCID-xevy-axzn-n7g1"},{"vulnerability":"VCID-yuk8-p75s-dugm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.476"},{"url":"http://public2.vulnerablecode.io/api/packages/25320?format=json","purl":"pkg:composer/october/system@1.1.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3df2-mmnc-m7fg"},{"vulnerability":"VCID-9juu-t4f1-rkb6"},{"vulnerability":"VCID-epkg-8qq2-9fa3"},{"vulnerability":"VCID-erbs-pnr9-e7eg"},{"vulnerability":"VCID-fs6h-a1dq-n7av"},{"vulnerability":"VCID-vhhm-2rbj-kqgg"},{"vulnerability":"VCID-wz9u-6vry-yuhb"},{"vulnerability":"VCID-xevy-axzn-n7g1"},{"vulnerability":"VCID-yuk8-p75s-dugm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/25317?format=json","purl":"pkg:composer/october/system@2.2.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@2.2.15"}],"aliases":["CVE-2022-24800","GHSA-8v7h-cpc2-r8jp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1b4g-vts2-akgy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82576?format=json","vulnerability_id":"VCID-3df2-mmnc-m7fg","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24907","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11436","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11362","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24907"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24907","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24907"},{"reference_url":"https://github.com/advisories/GHSA-j4j5-9x6g-rgxc","reference_id":"GHSA-j4j5-9x6g-rgxc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j4j5-9x6g-rgxc"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc","reference_id":"GHSA-j4j5-9x6g-rgxc","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T19:29:36Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373496?format=json","purl":"pkg:composer/october/system@3.7.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14"},{"url":"http://public2.vulnerablecode.io/api/packages/373495?format=json","purl":"pkg:composer/october/system@4.1.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10"}],"aliases":["CVE-2026-24907","GHSA-j4j5-9x6g-rgxc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3df2-mmnc-m7fg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74138?format=json","vulnerability_id":"VCID-9juu-t4f1-rkb6","summary":"October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29179","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10252","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10203","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29179"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29179","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29179"},{"reference_url":"https://github.com/advisories/GHSA-jvwg-phxx-j3rp","reference_id":"GHSA-jvwg-phxx-j3rp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jvwg-phxx-j3rp"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp","reference_id":"GHSA-jvwg-phxx-j3rp","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:46:35Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373764?format=json","purl":"pkg:composer/october/system@3.7.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.16"},{"url":"http://public2.vulnerablecode.io/api/packages/373763?format=json","purl":"pkg:composer/october/system@4.1.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.16"}],"aliases":["CVE-2026-29179","GHSA-jvwg-phxx-j3rp"],"risk_score":1.5,"exploitability":"0.5","weighted_severity":"3.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9juu-t4f1-rkb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80336?format=json","vulnerability_id":"VCID-epkg-8qq2-9fa3","summary":"October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and 4.1.16.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27937","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11127","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11061","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27937"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27937","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27937"},{"reference_url":"https://github.com/advisories/GHSA-jj38-h5w5-mvpf","reference_id":"GHSA-jj38-h5w5-mvpf","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jj38-h5w5-mvpf"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf","reference_id":"GHSA-jj38-h5w5-mvpf","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T20:27:38Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-jj38-h5w5-mvpf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373764?format=json","purl":"pkg:composer/october/system@3.7.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.16"}],"aliases":["CVE-2026-27937","GHSA-jj38-h5w5-mvpf"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-epkg-8qq2-9fa3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127926?format=json","vulnerability_id":"VCID-erbs-pnr9-e7eg","summary":"October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61676","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07684","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.0772","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61676"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61676","reference_id":"CVE-2025-61676","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61676"},{"reference_url":"https://github.com/advisories/GHSA-wvpq-h33f-8rp6","reference_id":"GHSA-wvpq-h33f-8rp6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wvpq-h33f-8rp6"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6","reference_id":"GHSA-wvpq-h33f-8rp6","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:34:07Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37535?format=json","purl":"pkg:composer/october/system@3.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3df2-mmnc-m7fg"},{"vulnerability":"VCID-yuk8-p75s-dugm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/37538?format=json","purl":"pkg:composer/october/system@4.0.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.0.12"}],"aliases":["CVE-2025-61676","GHSA-wvpq-h33f-8rp6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-erbs-pnr9-e7eg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70697?format=json","vulnerability_id":"VCID-fs6h-a1dq-n7av","summary":"October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26067","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17278","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17117","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26067"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26067","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26067"},{"reference_url":"https://github.com/advisories/GHSA-3888-q23f-x7qh","reference_id":"GHSA-3888-q23f-x7qh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3888-q23f-x7qh"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh","reference_id":"GHSA-3888-q23f-x7qh","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:35:10Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373496?format=json","purl":"pkg:composer/october/system@3.7.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14"},{"url":"http://public2.vulnerablecode.io/api/packages/373495?format=json","purl":"pkg:composer/october/system@4.1.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10"}],"aliases":["CVE-2026-26067","GHSA-3888-q23f-x7qh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fs6h-a1dq-n7av"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/128004?format=json","vulnerability_id":"VCID-vhhm-2rbj-kqgg","summary":"October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61674","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07684","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.0772","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61674"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61674","reference_id":"CVE-2025-61674","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61674"},{"reference_url":"https://github.com/advisories/GHSA-gxxc-m74c-f48x","reference_id":"GHSA-gxxc-m74c-f48x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gxxc-m74c-f48x"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x","reference_id":"GHSA-gxxc-m74c-f48x","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:33:26Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37535?format=json","purl":"pkg:composer/october/system@3.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3df2-mmnc-m7fg"},{"vulnerability":"VCID-yuk8-p75s-dugm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/37538?format=json","purl":"pkg:composer/october/system@4.0.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.0.12"}],"aliases":["CVE-2025-61674","GHSA-gxxc-m74c-f48x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vhhm-2rbj-kqgg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35530?format=json","vulnerability_id":"VCID-wz9u-6vry-yuhb","summary":"October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension. This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user. This issue has been patched in v3.7.5.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-51991","reference_id":"","reference_type":"","scores":[{"value":"0.00313","scoring_system":"epss","scoring_elements":"0.54968","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00313","scoring_system":"epss","scoring_elements":"0.54846","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-51991"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-51991","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-51991"},{"reference_url":"https://github.com/advisories/GHSA-96hh-8hx5-cpw7","reference_id":"GHSA-96hh-8hx5-cpw7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-96hh-8hx5-cpw7"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7","reference_id":"GHSA-96hh-8hx5-cpw7","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-05T18:06:02Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378990?format=json","purl":"pkg:composer/october/system@3.7.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.5"}],"aliases":["CVE-2024-51991","GHSA-96hh-8hx5-cpw7"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wz9u-6vry-yuhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/167565?format=json","vulnerability_id":"VCID-xevy-axzn-n7g1","summary":"October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the \"Editor\" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-35944","reference_id":"","reference_type":"","scores":[{"value":"0.00532","scoring_system":"epss","scoring_elements":"0.6781","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00532","scoring_system":"epss","scoring_elements":"0.67721","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-35944"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35944","reference_id":"CVE-2022-35944","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35944"},{"reference_url":"https://github.com/advisories/GHSA-x4q7-m6fp-4v9v","reference_id":"GHSA-x4q7-m6fp-4v9v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x4q7-m6fp-4v9v"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v","reference_id":"GHSA-x4q7-m6fp-4v9v","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:47:57Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27369?format=json","purl":"pkg:composer/october/system@2.2.34","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@2.2.34"},{"url":"http://public2.vulnerablecode.io/api/packages/27371?format=json","purl":"pkg:composer/october/system@3.0.66","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.0.66"}],"aliases":["CVE-2022-35944","GHSA-x4q7-m6fp-4v9v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xevy-axzn-n7g1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82635?format=json","vulnerability_id":"VCID-yuk8-p75s-dugm","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24906","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01911","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01907","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24906"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24906","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24906"},{"reference_url":"https://github.com/advisories/GHSA-6qmh-j78v-ffp7","reference_id":"GHSA-6qmh-j78v-ffp7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6qmh-j78v-ffp7"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7","reference_id":"GHSA-6qmh-j78v-ffp7","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:45:53Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373496?format=json","purl":"pkg:composer/october/system@3.7.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@3.7.14"},{"url":"http://public2.vulnerablecode.io/api/packages/373495?format=json","purl":"pkg:composer/october/system@4.1.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@4.1.10"}],"aliases":["CVE-2026-24906","GHSA-6qmh-j78v-ffp7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yuk8-p75s-dugm"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163861?format=json","vulnerability_id":"VCID-5f35-gkfm-ukbz","summary":"Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23655","reference_id":"","reference_type":"","scores":[{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34286","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34109","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23655"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23655","reference_id":"CVE-2022-23655","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23655"},{"reference_url":"https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a","reference_id":"e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/"}],"url":"https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a"},{"reference_url":"https://github.com/advisories/GHSA-53m6-44rc-h2q5","reference_id":"GHSA-53m6-44rc-h2q5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-53m6-44rc-h2q5"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5","reference_id":"GHSA-53m6-44rc-h2q5","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19500?format=json","purl":"pkg:composer/october/system@1.0.475","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1b4g-vts2-akgy"},{"vulnerability":"VCID-3df2-mmnc-m7fg"},{"vulnerability":"VCID-9juu-t4f1-rkb6"},{"vulnerability":"VCID-epkg-8qq2-9fa3"},{"vulnerability":"VCID-erbs-pnr9-e7eg"},{"vulnerability":"VCID-fs6h-a1dq-n7av"},{"vulnerability":"VCID-vhhm-2rbj-kqgg"},{"vulnerability":"VCID-wz9u-6vry-yuhb"},{"vulnerability":"VCID-xevy-axzn-n7g1"},{"vulnerability":"VCID-yuk8-p75s-dugm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.475"},{"url":"http://public2.vulnerablecode.io/api/packages/19499?format=json","purl":"pkg:composer/october/system@1.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1b4g-vts2-akgy"},{"vulnerability":"VCID-3df2-mmnc-m7fg"},{"vulnerability":"VCID-9juu-t4f1-rkb6"},{"vulnerability":"VCID-epkg-8qq2-9fa3"},{"vulnerability":"VCID-erbs-pnr9-e7eg"},{"vulnerability":"VCID-fs6h-a1dq-n7av"},{"vulnerability":"VCID-vhhm-2rbj-kqgg"},{"vulnerability":"VCID-wz9u-6vry-yuhb"},{"vulnerability":"VCID-xevy-axzn-n7g1"},{"vulnerability":"VCID-yuk8-p75s-dugm"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.1.11"}],"aliases":["CVE-2022-23655","GHSA-53m6-44rc-h2q5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5f35-gkfm-ukbz"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/system@1.0.475"}