CVE-2025-61674
Cross-Site Scripting in October CMS Backend Stylesheet Input
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octobercms | october | to 3.7.13|end_excluding=4.0.12 (exc) |
| octobercms | october | From 3.7.13|end_including=4.0.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61674 is a stored cross-site scripting (XSS) vulnerability in October CMS affecting backend configuration forms, specifically the Editor Settings under Markup Styles. A user with the Global Editor Settings permission can inject malicious HTML or JavaScript into the stylesheet input field. This crafted input can break out of the intended <style> tag context, enabling arbitrary script execution across backend pages for all users. This means that malicious scripts can run persistently within the backend interface, potentially affecting all users who access it. [1]
How can this vulnerability impact me? :
This vulnerability can lead to privilege escalation, session hijacking, and unauthorized actions within victim sessions. Because the malicious script executes across backend pages for all users, attackers can potentially take over user sessions, perform actions on behalf of other users, and compromise the confidentiality and integrity of the system. The attack requires a user with Global Editor Settings permission to inject the malicious code, but once exploited, it affects all backend users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if any malicious HTML or JavaScript has been injected into the stylesheet input field under Settings β Editor Settings β Markup Styles by users with Global Editor Settings permission. Since this is a stored XSS vulnerability, inspecting the backend configuration forms for unexpected or suspicious <style> content or script tags is key. There are no specific commands provided in the resources for automated detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading October CMS to versions 3.7.13 or 4.0.12 where the vulnerability is patched and stylesheet inputs are properly sanitized. As a temporary workaround, restrict the Global Editor Settings permission to fully trusted administrators to reduce exposure, although this does not fully eliminate the risk. [1]