CVE-2025-61676
Unknown Unknown - Not Provided
Cross-Site Scripting in October CMS Backend Stylesheet Input

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms. A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at Styles from Branding & Appearance settings. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61676
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
octobercms october to 4.0.11 (exc)
octobercms october 3.7.13
octobercms october 4.0.12
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-61676 is a stored cross-site scripting (XSS) vulnerability in October CMS affecting backend configuration forms, specifically the Branding and Appearance Styles section. A user with the "Customize Backend Styles" permission can inject malicious HTML or JavaScript into the stylesheet input, which can break out of the intended <style> context and enable arbitrary script execution across backend pages for all users. This allows persistent XSS attacks within the backend interface. [1]

Impact Analysis

This vulnerability can lead to privilege escalation, session hijacking, and unauthorized execution of actions within victim sessions. Since the malicious script executes across backend pages for all users, attackers can potentially compromise the confidentiality and integrity of the system. The CVSS score indicates a moderate severity with high confidentiality and integrity impact. [1]

Detection Guidance

Detection involves checking if your October CMS installation is running a vulnerable version (prior to 3.7.13 or 4.0.12) and if any users with the 'Customize Backend Styles' permission have injected malicious content into the stylesheet input at Settings β†’ Branding & Appearance β†’ Styles. There are no specific commands provided to detect exploitation, but reviewing backend configuration forms for unexpected or suspicious HTML/JS in the Styles input field is recommended. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade October CMS to version 3.7.13 or 4.0.12 or later, where the vulnerability is patched. If upgrading immediately is not possible, restrict the 'Customize Backend Styles' permission to fully trusted administrators to reduce exposure, although this does not fully eliminate the risk. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart