Cross-Site Scripting Vulnerability in October CMS Backend Configuration
CVE-2025-61676

6.1MEDIUM

Key Information:

Vendor: Octobercms
Status: October
Vendor: CVE Published:; 10 January 2026

What is CVE-2025-61676?

October CMS has a vulnerability that allows a user with the Customize Backend Styles permission to inject malicious HTML/JS into the backend configuration forms. This occurs before versions 3.7.13 and 4.0.12. A specially crafted input could escape the intended context, enabling arbitrary script execution on backend pages viewed by all users. This issue has been addressed in the latest versions.

Affected Version(s)

october >= 4.0.0, < 4.0.12 < 4.0.0, 4.0.12

october < 3.7.13 < 3.7.13

References

https://github.com/octobercms/october/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Sep 29, 2025

CVE-2025-61676 Data

JSON

Octobercms

What is CVE-2025-61676?

Affected Version(s)

References

CVSS V3.1

Timeline