CVE-2025-61676
Unknown Unknown - Not Provided
Cross-Site Scripting in October CMS Backend Stylesheet Input

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-05-07
AI Q&A
2026-01-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61676
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
octobercms october to 4.0.11 (exc)
octobercms october 3.7.13
octobercms october 4.0.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to privilege escalation, session hijacking, and unauthorized execution of actions within victim sessions. Since the malicious script executes across backend pages for all users, attackers can potentially compromise the confidentiality and integrity of the system. The CVSS score indicates a moderate severity with high confidentiality and integrity impact. [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves checking if your October CMS installation is running a vulnerable version (prior to 3.7.13 or 4.0.12) and if any users with the 'Customize Backend Styles' permission have injected malicious content into the stylesheet input at Settings β†’ Branding & Appearance β†’ Styles. There are no specific commands provided to detect exploitation, but reviewing backend configuration forms for unexpected or suspicious HTML/JS in the Styles input field is recommended. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade October CMS to version 3.7.13 or 4.0.12 or later, where the vulnerability is patched. If upgrading immediately is not possible, restrict the 'Customize Backend Styles' permission to fully trusted administrators to reduce exposure, although this does not fully eliminate the risk. [1]


Can you explain this vulnerability to me?

CVE-2025-61676 is a stored cross-site scripting (XSS) vulnerability in October CMS affecting backend configuration forms, specifically the Branding and Appearance Styles section. A user with the "Customize Backend Styles" permission can inject malicious HTML or JavaScript into the stylesheet input, which can break out of the intended <style> context and enable arbitrary script execution across backend pages for all users. This allows persistent XSS attacks within the backend interface. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart