Stored Cross-Site Scripting Vulnerability in October CMS by October
CVE-2026-25133

4.8MEDIUM

Key Information:

Vendor: Octobercms
Status: October
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-25133?

October CMS prior to versions 3.7.14 and 4.1.10 has a vulnerability in the SVG sanitization logic that allows for stored cross-site scripting (XSS). This occurs through a flaw in the regex pattern used to remove event handler attributes from SVGs, making it possible for an attacker to upload malicious SVG files via the Media Manager, containing embedded JavaScript. If a superuser views or embeds these crafted SVGs, it could potentially escalate privileges. The vulnerability requires authenticated backend access with media upload permissions to exploit, and users must view or embed the malicious SVG for the attack to be executed. This issue has been rectified in the aforementioned versions.

Affected Version(s)

october < 3.7.14 < 3.7.14

october >= 4.0.0, < 4.1.10 < 4.0.0, 4.1.10

References

https://github.com/octobercms/october/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Jan 29, 2026

CVE-2026-25133 Data

JSON

Octobercms

What is CVE-2026-25133?

Affected Version(s)

References

CVSS V4

Timeline