Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/october/october@1.0.475
Typecomposer
Namespaceoctober
Nameoctober
Version1.0.475
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.1.17
Latest_non_vulnerable_version4.1.17
Affected_by_vulnerabilities
0
url VCID-1u23-49vh-a7cz
vulnerability_id VCID-1u23-49vh-a7cz
summary 
October CMS Allows Unprotected SVG Rename in Media Manager
This advisory affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension.

This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-51991
reference_id
reference_type
scores
0
value 0.00313
scoring_system epss
scoring_elements 0.54768
published_at 2026-06-05T12:55:00Z
1
value 0.00313
scoring_system epss
scoring_elements 0.54772
published_at 2026-06-07T12:55:00Z
2
value 0.00313
scoring_system epss
scoring_elements 0.54778
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-51991
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 1.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-51991
reference_id CVE-2024-51991
reference_type
scores
0
value 1.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-51991
3
reference_url https://github.com/advisories/GHSA-96hh-8hx5-cpw7
reference_id GHSA-96hh-8hx5-cpw7
reference_type
scores
url https://github.com/advisories/GHSA-96hh-8hx5-cpw7
4
reference_url https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7
reference_id GHSA-96hh-8hx5-cpw7
reference_type
scores
0
value 1.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-05T18:06:02Z/
url https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7
fixed_packages
0
url pkg:composer/october/october@3.7.5
purl pkg:composer/october/october@3.7.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.7.5
1
url pkg:composer/october/october@3.7.10
purl pkg:composer/october/october@3.7.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.7.10
aliases CVE-2024-51991, GHSA-96hh-8hx5-cpw7
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1u23-49vh-a7cz
1
url VCID-a3cc-swkj-cue8
vulnerability_id VCID-a3cc-swkj-cue8
summary 
October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers
When running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning:
- https://portswigger.net/web-security/host-header
- https://dzone.com/articles/what-is-a-host-header-attack
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-21265
reference_id
reference_type
scores
0
value 0.0051
scoring_system epss
scoring_elements 0.66772
published_at 2026-06-05T12:55:00Z
1
value 0.0051
scoring_system epss
scoring_elements 0.66765
published_at 2026-06-07T12:55:00Z
2
value 0.0051
scoring_system epss
scoring_elements 0.66779
published_at 2026-06-06T12:55:00Z
3
value 0.0051
scoring_system epss
scoring_elements 0.66731
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-21265
1
reference_url https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d
2
reference_url https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6
3
reference_url https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30
4
reference_url https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0
5
reference_url https://packagist.org/packages/october/backend
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/october/backend
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-21265
reference_id CVE-2021-21265
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-21265
7
reference_url https://github.com/advisories/GHSA-xhfx-hgmf-v6vp
reference_id GHSA-xhfx-hgmf-v6vp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xhfx-hgmf-v6vp
8
reference_url https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp
reference_id GHSA-xhfx-hgmf-v6vp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp
fixed_packages
0
url pkg:composer/october/october@1.1.2
purl pkg:composer/october/october@1.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-196s-wgwr-kyd6
1
vulnerability VCID-1u23-49vh-a7cz
2
vulnerability VCID-26wk-v39m-tue9
3
vulnerability VCID-32np-fww5-sqgs
4
vulnerability VCID-c9ym-e1xq-euah
5
vulnerability VCID-dc1p-1k62-2ub6
6
vulnerability VCID-hk1m-fbhk-4khm
7
vulnerability VCID-jwc2-ypme-27f5
8
vulnerability VCID-sb7b-w5kw-2kcu
9
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.2
aliases CVE-2021-21265, GHSA-xhfx-hgmf-v6vp
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a3cc-swkj-cue8
2
url VCID-dc1p-1k62-2ub6
vulnerability_id VCID-dc1p-1k62-2ub6
summary 
October CMS upload process vulnerable to RCE via Race Condition
### Impact

This advisory affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interface. This vulnerability does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally.

When the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory.

### Patches

The issue has been patched in Build 476 (v1.0.476) and v1.1.12 and v2.2.15.

### Workarounds

Apply https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83 to your installation manually if unable to upgrade to Build 476 (v1.0.476) or v1.1.12 or v2.2.15.

### References

Credits to:
- DucNT, HungTD and GiangVQ from RedTeam@VNG Security Response Center.

### For more information

If you have any questions or comments about this advisory:
- Email us at [hello@octobercms.com](mailto:hello@octobercms.com)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24800
reference_id
reference_type
scores
0
value 0.02925
scoring_system epss
scoring_elements 0.86687
published_at 2026-06-07T12:55:00Z
1
value 0.02925
scoring_system epss
scoring_elements 0.8667
published_at 2026-06-04T12:55:00Z
2
value 0.02925
scoring_system epss
scoring_elements 0.86692
published_at 2026-06-05T12:55:00Z
3
value 0.02925
scoring_system epss
scoring_elements 0.86691
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24800
1
reference_url https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/
url https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83
2
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
3
reference_url https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/
url https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24800
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24800
5
reference_url https://github.com/advisories/GHSA-8v7h-cpc2-r8jp
reference_id GHSA-8v7h-cpc2-r8jp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8v7h-cpc2-r8jp
fixed_packages
0
url pkg:composer/october/october@1.0.476
purl pkg:composer/october/october@1.0.476
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1u23-49vh-a7cz
1
vulnerability VCID-hk1m-fbhk-4khm
2
vulnerability VCID-sb7b-w5kw-2kcu
3
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.476
1
url pkg:composer/october/october@1.1.12
purl pkg:composer/october/october@1.1.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1u23-49vh-a7cz
1
vulnerability VCID-hk1m-fbhk-4khm
2
vulnerability VCID-sb7b-w5kw-2kcu
3
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.12
2
url pkg:composer/october/october@2.2.32
purl pkg:composer/october/october@2.2.32
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1u23-49vh-a7cz
1
vulnerability VCID-hk1m-fbhk-4khm
2
vulnerability VCID-sb7b-w5kw-2kcu
3
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@2.2.32
3
url pkg:composer/october/october@3.0.0
purl pkg:composer/october/october@3.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1u23-49vh-a7cz
1
vulnerability VCID-697s-34zx-1bet
2
vulnerability VCID-8nzv-njt4-7kcy
3
vulnerability VCID-hk1m-fbhk-4khm
4
vulnerability VCID-j1jf-zq2p-xkg5
5
vulnerability VCID-sb7b-w5kw-2kcu
6
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.0.0
aliases CVE-2022-24800, GHSA-8v7h-cpc2-r8jp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dc1p-1k62-2ub6
3
url VCID-hk1m-fbhk-4khm
vulnerability_id VCID-hk1m-fbhk-4khm
summary 
October CMS Safe Mode bypass leads to authenticated Remote Code Execution
### Impact

This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request.

### Patches

The issue has been patched in v2.2.34 and v3.0.66

### References

Credits to:

-  David Miller

### For more information

If you have any questions or comments about this advisory:

- Email us at [hello@octobercms.com](mailto:hello@octobercms.com)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-35944
reference_id
reference_type
scores
0
value 0.00532
scoring_system epss
scoring_elements 0.67626
published_at 2026-06-04T12:55:00Z
1
value 0.00532
scoring_system epss
scoring_elements 0.67664
published_at 2026-06-07T12:55:00Z
2
value 0.00532
scoring_system epss
scoring_elements 0.67674
published_at 2026-06-06T12:55:00Z
3
value 0.00532
scoring_system epss
scoring_elements 0.67667
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-35944
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:47:57Z/
url https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-35944
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-35944
4
reference_url https://github.com/advisories/GHSA-x4q7-m6fp-4v9v
reference_id GHSA-x4q7-m6fp-4v9v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x4q7-m6fp-4v9v
fixed_packages
0
url pkg:composer/october/october@2.2.34
purl pkg:composer/october/october@2.2.34
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@2.2.34
1
url pkg:composer/october/october@3.0.74
purl pkg:composer/october/october@3.0.74
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1u23-49vh-a7cz
1
vulnerability VCID-697s-34zx-1bet
2
vulnerability VCID-8nzv-njt4-7kcy
3
vulnerability VCID-j1jf-zq2p-xkg5
4
vulnerability VCID-sb7b-w5kw-2kcu
5
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.0.74
aliases CVE-2022-35944, GHSA-x4q7-m6fp-4v9v
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hk1m-fbhk-4khm
4
url VCID-sb7b-w5kw-2kcu
vulnerability_id VCID-sb7b-w5kw-2kcu
summary 
October allows an admin account to upload PDF containing malicious JavaScript
October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45962
reference_id
reference_type
scores
0
value 0.0027
scoring_system epss
scoring_elements 0.50684
published_at 2026-06-05T12:55:00Z
1
value 0.0027
scoring_system epss
scoring_elements 0.50672
published_at 2026-06-07T12:55:00Z
2
value 0.0027
scoring_system epss
scoring_elements 0.50692
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45962
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://grimthereaperteam.medium.com/october-cms-3-6-30-stored-xss-ddf2be7a226e
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
2
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T20:33:25Z/
url https://grimthereaperteam.medium.com/october-cms-3-6-30-stored-xss-ddf2be7a226e
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-45962
reference_id CVE-2024-45962
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-45962
4
reference_url https://github.com/advisories/GHSA-hxpp-g76m-qhvg
reference_id GHSA-hxpp-g76m-qhvg
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hxpp-g76m-qhvg
fixed_packages
aliases CVE-2024-45962, GHSA-hxpp-g76m-qhvg
risk_score 2.1
exploitability 0.5
weighted_severity 4.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sb7b-w5kw-2kcu
5
url VCID-tdpb-9bs6-w3gx
vulnerability_id VCID-tdpb-9bs6-w3gx
summary 
October CMS has Safe Mode Bypass via Twig Database Write Operations
A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when `cms.safe_mode` is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list.

### Impact
- Arbitrary database writes including modification or deletion of any table
- Requires authenticated backend access with Developer permissions
- Only relevant when `cms.safe_mode` is enabled (otherwise direct PHP injection is already possible)

### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. Write operations such as `insert`, `update`, `delete`, and `truncate` are now blocked on query builder and model objects within the Twig sandbox. All users are encouraged to upgrade to the latest patched version.

### Workarounds
If upgrading immediately is not possible:
- Restrict Developer tool access to fully trusted administrators only

### Reporter
- Reported by [Chris Alupului](https://github.com/neosprings)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-26274
reference_id
reference_type
scores
0
value 0.00075
scoring_system epss
scoring_elements 0.22822
published_at 2026-06-05T12:55:00Z
1
value 0.00075
scoring_system epss
scoring_elements 0.22761
published_at 2026-06-07T12:55:00Z
2
value 0.00075
scoring_system epss
scoring_elements 0.22807
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-26274
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T19:16:28Z/
url https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-26274
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-26274
4
reference_url https://github.com/advisories/GHSA-h6jm-f4hh-fw27
reference_id GHSA-h6jm-f4hh-fw27
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h6jm-f4hh-fw27
fixed_packages
0
url pkg:composer/october/october@3.7.14
purl pkg:composer/october/october@3.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.7.14
1
url pkg:composer/october/october@4.1.10
purl pkg:composer/october/october@4.1.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@4.1.10
2
url pkg:composer/october/october@4.1.17
purl pkg:composer/october/october@4.1.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@4.1.17
aliases CVE-2026-26274, GHSA-h6jm-f4hh-fw27
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tdpb-9bs6-w3gx
Fixing_vulnerabilities
0
url VCID-196s-wgwr-kyd6
vulnerability_id VCID-196s-wgwr-kyd6
summary 
Improper Verification of Cryptographic Signature
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS does not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-23655
reference_id
reference_type
scores
0
value 0.00142
scoring_system epss
scoring_elements 0.34084
published_at 2026-06-07T12:55:00Z
1
value 0.00142
scoring_system epss
scoring_elements 0.34002
published_at 2026-06-04T12:55:00Z
2
value 0.00142
scoring_system epss
scoring_elements 0.34102
published_at 2026-06-05T12:55:00Z
3
value 0.00142
scoring_system epss
scoring_elements 0.34117
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-23655
1
reference_url https://github.com/octobercms/october
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october
2
reference_url https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/
url https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-23655
reference_id CVE-2022-23655
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-23655
4
reference_url https://github.com/advisories/GHSA-53m6-44rc-h2q5
reference_id GHSA-53m6-44rc-h2q5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-53m6-44rc-h2q5
5
reference_url https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5
reference_id GHSA-53m6-44rc-h2q5
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/
url https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5
fixed_packages
0
url pkg:composer/october/october@1.0.475
purl pkg:composer/october/october@1.0.475
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1u23-49vh-a7cz
1
vulnerability VCID-a3cc-swkj-cue8
2
vulnerability VCID-dc1p-1k62-2ub6
3
vulnerability VCID-hk1m-fbhk-4khm
4
vulnerability VCID-sb7b-w5kw-2kcu
5
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.475
1
url pkg:composer/october/october@1.1.11
purl pkg:composer/october/october@1.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1u23-49vh-a7cz
1
vulnerability VCID-dc1p-1k62-2ub6
2
vulnerability VCID-hk1m-fbhk-4khm
3
vulnerability VCID-sb7b-w5kw-2kcu
4
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.11
aliases CVE-2022-23655, GHSA-53m6-44rc-h2q5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-196s-wgwr-kyd6
1
url VCID-8g7k-gf7y-mubp
vulnerability_id VCID-8g7k-gf7y-mubp
summary 
Insufficient Session Expiration
An issue was discovered in October through build It reactivates an old session ID (which had been invalid after a logout) once a new login occurs.
references
0
reference_url https://anisiosantos.me/october-cms-token-reactivation
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://anisiosantos.me/october-cms-token-reactivation
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-3311
reference_id
reference_type
scores
0
value 0.01522
scoring_system epss
scoring_elements 0.81614
published_at 2026-06-07T12:55:00Z
1
value 0.01522
scoring_system epss
scoring_elements 0.81615
published_at 2026-06-06T12:55:00Z
2
value 0.01522
scoring_system epss
scoring_elements 0.81612
published_at 2026-06-05T12:55:00Z
3
value 0.01522
scoring_system epss
scoring_elements 0.81583
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-3311
2
reference_url https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024
3
reference_url https://octobercms.com/forum/chan/announcements
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://octobercms.com/forum/chan/announcements
4
reference_url https://packagist.org/packages/october/rain
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/october/rain
5
reference_url http://cve.circl.lu/cve/CVE-2021-3311
reference_id CVE-2021-3311
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://cve.circl.lu/cve/CVE-2021-3311
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-3311
reference_id CVE-2021-3311
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-3311
7
reference_url https://github.com/advisories/GHSA-7ggw-h8pp-r95r
reference_id GHSA-7ggw-h8pp-r95r
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7ggw-h8pp-r95r
8
reference_url https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r
reference_id GHSA-7ggw-h8pp-r95r
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r
fixed_packages
0
url pkg:composer/october/october@1.0.475
purl pkg:composer/october/october@1.0.475
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1u23-49vh-a7cz
1
vulnerability VCID-a3cc-swkj-cue8
2
vulnerability VCID-dc1p-1k62-2ub6
3
vulnerability VCID-hk1m-fbhk-4khm
4
vulnerability VCID-sb7b-w5kw-2kcu
5
vulnerability VCID-tdpb-9bs6-w3gx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.475
1
url pkg:composer/october/october@1.1.0
purl pkg:composer/october/october@1.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-196s-wgwr-kyd6
1
vulnerability VCID-1u23-49vh-a7cz
2
vulnerability VCID-26wk-v39m-tue9
3
vulnerability VCID-6wuq-x5uj-mfaq
4
vulnerability VCID-a3cc-swkj-cue8
5
vulnerability VCID-dc1p-1k62-2ub6
6
vulnerability VCID-hk1m-fbhk-4khm
7
vulnerability VCID-jwc2-ypme-27f5
8
vulnerability VCID-sb7b-w5kw-2kcu
9
vulnerability VCID-tdpb-9bs6-w3gx
10
vulnerability VCID-xft1-5xxz-jfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.0
aliases CVE-2021-3311, GHSA-7ggw-h8pp-r95r
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8g7k-gf7y-mubp
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.475