{"url":"http://public2.vulnerablecode.io/api/packages/466142?format=json","purl":"pkg:composer/october/rain@1.0.329","type":"composer","namespace":"october","name":"rain","version":"1.0.329","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.7.16","latest_non_vulnerable_version":"4.1.10","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83837?format=json","vulnerability_id":"VCID-2emz-xbhv-d7e6","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22692","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05146","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05127","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05135","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05136","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22692"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22692","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22692"},{"reference_url":"https://github.com/advisories/GHSA-m5qg-jc75-4jp6","reference_id":"GHSA-m5qg-jc75-4jp6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m5qg-jc75-4jp6"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6","reference_id":"GHSA-m5qg-jc75-4jp6","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-14T19:42:23Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374162?format=json","purl":"pkg:composer/october/rain@3.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-htv5-4uyf-e7bv"},{"vulnerability":"VCID-z4xx-uev9-s7dn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/374161?format=json","purl":"pkg:composer/october/rain@4.1.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-htv5-4uyf-e7bv"},{"vulnerability":"VCID-z4xx-uev9-s7dn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.5"}],"aliases":["CVE-2026-22692","GHSA-m5qg-jc75-4jp6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2emz-xbhv-d7e6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205121?format=json","vulnerability_id":"VCID-e7w6-dnwa-eqfw","summary":"Reliance on Cookies without validation in OctoberCMS","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15128","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29674","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29472","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.2969","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29673","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15128"},{"reference_url":"https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c"},{"reference_url":"https://github.com/octobercms/library/pull/508","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/pull/508"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15128","reference_id":"CVE-2020-15128","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15128"},{"reference_url":"https://github.com/advisories/GHSA-55mm-5399-7r63","reference_id":"GHSA-55mm-5399-7r63","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-55mm-5399-7r63"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63","reference_id":"GHSA-55mm-5399-7r63","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16821?format=json","purl":"pkg:composer/october/rain@1.0.468","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2emz-xbhv-d7e6"},{"vulnerability":"VCID-htv5-4uyf-e7bv"},{"vulnerability":"VCID-yhrp-jd6w-syhp"},{"vulnerability":"VCID-z4xx-uev9-s7dn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@1.0.468"}],"aliases":["CVE-2020-15128","GHSA-55mm-5399-7r63"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e7w6-dnwa-eqfw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66207?format=json","vulnerability_id":"VCID-htv5-4uyf-e7bv","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25133","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.0094","published_at":"2026-06-13T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00943","published_at":"2026-06-14T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00934","published_at":"2026-06-11T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00932","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25133"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25133","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25133"},{"reference_url":"https://github.com/advisories/GHSA-gcqv-f29m-67gr","reference_id":"GHSA-gcqv-f29m-67gr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gcqv-f29m-67gr"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr","reference_id":"GHSA-gcqv-f29m-67gr","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-16T13:47:21Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373430?format=json","purl":"pkg:composer/october/rain@3.7.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.14"},{"url":"http://public2.vulnerablecode.io/api/packages/1006819?format=json","purl":"pkg:composer/october/rain@3.7.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.16"},{"url":"http://public2.vulnerablecode.io/api/packages/373429?format=json","purl":"pkg:composer/october/rain@4.1.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.10"}],"aliases":["CVE-2026-25133","GHSA-gcqv-f29m-67gr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-htv5-4uyf-e7bv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209894?format=json","vulnerability_id":"VCID-wzsn-qdhp-tyah","summary":"OctoberCMS Cross-Site Scripting","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15284","reference_id":"","reference_type":"","scores":[{"value":"0.02409","scoring_system":"epss","scoring_elements":"0.85473","published_at":"2026-06-14T12:55:00Z"},{"value":"0.02409","scoring_system":"epss","scoring_elements":"0.85421","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02409","scoring_system":"epss","scoring_elements":"0.85482","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15284"},{"reference_url":"https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html"},{"reference_url":"https://www.exploit-db.com/exploits/42978","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/42978"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/42978.txt","reference_id":"CVE-2017-15284","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/42978.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15284","reference_id":"CVE-2017-15284","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15284"},{"reference_url":"https://github.com/advisories/GHSA-gvgf-fp4m-2hw6","reference_id":"GHSA-gvgf-fp4m-2hw6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gvgf-fp4m-2hw6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21761?format=json","purl":"pkg:composer/october/rain@1.0.426","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2emz-xbhv-d7e6"},{"vulnerability":"VCID-e7w6-dnwa-eqfw"},{"vulnerability":"VCID-htv5-4uyf-e7bv"},{"vulnerability":"VCID-yhrp-jd6w-syhp"},{"vulnerability":"VCID-z4xx-uev9-s7dn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@1.0.426"}],"aliases":["CVE-2017-15284","GHSA-gvgf-fp4m-2hw6"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wzsn-qdhp-tyah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/343090?format=json","vulnerability_id":"VCID-yhrp-jd6w-syhp","summary":"","references":[{"reference_url":"http://cve.circl.lu/cve/CVE-2021-3311","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://cve.circl.lu/cve/CVE-2021-3311"},{"reference_url":"https://anisiosantos.me/october-cms-token-reactivation","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://anisiosantos.me/october-cms-token-reactivation"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3311","reference_id":"","reference_type":"","scores":[{"value":"0.01522","scoring_system":"epss","scoring_elements":"0.81658","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01522","scoring_system":"epss","scoring_elements":"0.81718","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01522","scoring_system":"epss","scoring_elements":"0.81727","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01522","scoring_system":"epss","scoring_elements":"0.8172","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3311"},{"reference_url":"https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3311","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3311"},{"reference_url":"https://octobercms.com/forum/chan/announcements","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://octobercms.com/forum/chan/announcements"},{"reference_url":"https://packagist.org/packages/october/rain","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/october/rain"},{"reference_url":"https://github.com/advisories/GHSA-7ggw-h8pp-r95r","reference_id":"GHSA-7ggw-h8pp-r95r","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7ggw-h8pp-r95r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382804?format=json","purl":"pkg:composer/october/rain@1.0.472","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2emz-xbhv-d7e6"},{"vulnerability":"VCID-htv5-4uyf-e7bv"},{"vulnerability":"VCID-z4xx-uev9-s7dn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@1.0.472"},{"url":"http://public2.vulnerablecode.io/api/packages/382805?format=json","purl":"pkg:composer/october/rain@1.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2emz-xbhv-d7e6"},{"vulnerability":"VCID-htv5-4uyf-e7bv"},{"vulnerability":"VCID-z4xx-uev9-s7dn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@1.1.2"}],"aliases":["CVE-2021-3311","GHSA-7ggw-h8pp-r95r"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yhrp-jd6w-syhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65862?format=json","vulnerability_id":"VCID-z4xx-uev9-s7dn","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved, stored in the template, and returned to the attacker when the page was reopened. This could enable exfiltration of credentials and secrets (database passwords, AWS keys, application keys), potentially leading to further attacks such as database access or cookie forgery. The vulnerability is only relevant when cms.safe_mode is enabled, as direct PHP injection is already possible otherwise. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to immediately upgrade, they can workaround this issue by restricting Editor tool access to fully trusted administrators only, and ensuring database and cloud service credentials are not accessible from the web server's network.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25125","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0279","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02788","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0278","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02796","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25125"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25125","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25125"},{"reference_url":"https://github.com/advisories/GHSA-g6v3-wv4j-x9hg","reference_id":"GHSA-g6v3-wv4j-x9hg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g6v3-wv4j-x9hg"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg","reference_id":"GHSA-g6v3-wv4j-x9hg","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-15T14:24:59Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373430?format=json","purl":"pkg:composer/october/rain@3.7.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.14"},{"url":"http://public2.vulnerablecode.io/api/packages/1006819?format=json","purl":"pkg:composer/october/rain@3.7.16","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@3.7.16"},{"url":"http://public2.vulnerablecode.io/api/packages/373429?format=json","purl":"pkg:composer/october/rain@4.1.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@4.1.10"}],"aliases":["CVE-2026-25125","GHSA-g6v3-wv4j-x9hg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z4xx-uev9-s7dn"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/rain@1.0.329"}