CVE-2025-61674
Unknown Unknown - Not Provided
Cross-Site Scripting in October CMS Backend Stylesheet Input

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-61674
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
octobercms october to 3.7.13|end_excluding=4.0.12 (exc)
octobercms october From 3.7.13|end_including=4.0.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61674 is a stored cross-site scripting (XSS) vulnerability in October CMS affecting backend configuration forms, specifically the Editor Settings under Markup Styles. A user with the Global Editor Settings permission can inject malicious HTML or JavaScript into the stylesheet input field. This crafted input can break out of the intended <style> tag context, enabling arbitrary script execution across backend pages for all users. This means that malicious scripts can run persistently within the backend interface, potentially affecting all users who access it. [1]

Impact Analysis

This vulnerability can lead to privilege escalation, session hijacking, and unauthorized actions within victim sessions. Because the malicious script executes across backend pages for all users, attackers can potentially take over user sessions, perform actions on behalf of other users, and compromise the confidentiality and integrity of the system. The attack requires a user with Global Editor Settings permission to inject the malicious code, but once exploited, it affects all backend users. [1]

Detection Guidance

Detection involves checking if any malicious HTML or JavaScript has been injected into the stylesheet input field under Settings β†’ Editor Settings β†’ Markup Styles by users with Global Editor Settings permission. Since this is a stored XSS vulnerability, inspecting the backend configuration forms for unexpected or suspicious <style> content or script tags is key. There are no specific commands provided in the resources for automated detection. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading October CMS to versions 3.7.13 or 4.0.12 where the vulnerability is patched and stylesheet inputs are properly sanitized. As a temporary workaround, restrict the Global Editor Settings permission to fully trusted administrators to reduce exposure, although this does not fully eliminate the risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61674. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart