CVE-2026-25133: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in octobercms october
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.
AI Analysis
Technical Summary
OctoberCMS is affected by a stored XSS vulnerability (CWE-79) in its SVG sanitization logic in versions before 3.7.14 and 4.1.10. The regex intended to strip event handler attributes like onclick or onload can be bypassed, allowing malicious JavaScript embedded in SVG files uploaded through the Media Manager. Exploitation requires authenticated backend access with media upload permissions and triggers when the malicious SVG is viewed or embedded, potentially escalating privileges if a superuser is targeted. The vulnerability is addressed in OctoberCMS versions 3.7.14 and 4.1.10.
Potential Impact
Successful exploitation allows an authenticated user with media upload permissions to upload malicious SVG files containing JavaScript, which can execute when viewed or embedded, potentially leading to privilege escalation involving superuser accounts. The CVSS score of 4.8 indicates a medium severity impact with network attack vector, low complexity, and required privileges. There are no known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability has been fixed in OctoberCMS versions 3.7.14 and 4.1.10. Users should upgrade to these or later versions to remediate the issue. Since the vulnerability requires authenticated backend access with media upload permissions, limiting such access can reduce risk until patching is applied. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but the fixed versions indicate an official remediation is available.
CVE-2026-25133: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in octobercms october
Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.
CVSS v4.0
Score 4.8medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OctoberCMS is affected by a stored XSS vulnerability (CWE-79) in its SVG sanitization logic in versions before 3.7.14 and 4.1.10. The regex intended to strip event handler attributes like onclick or onload can be bypassed, allowing malicious JavaScript embedded in SVG files uploaded through the Media Manager. Exploitation requires authenticated backend access with media upload permissions and triggers when the malicious SVG is viewed or embedded, potentially escalating privileges if a superuser is targeted. The vulnerability is addressed in OctoberCMS versions 3.7.14 and 4.1.10.
Potential Impact
Successful exploitation allows an authenticated user with media upload permissions to upload malicious SVG files containing JavaScript, which can execute when viewed or embedded, potentially leading to privilege escalation involving superuser accounts. The CVSS score of 4.8 indicates a medium severity impact with network attack vector, low complexity, and required privileges. There are no known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability has been fixed in OctoberCMS versions 3.7.14 and 4.1.10. Users should upgrade to these or later versions to remediate the issue. Since the vulnerability requires authenticated backend access with media upload permissions, limiting such access can reduce risk until patching is applied. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but the fixed versions indicate an official remediation is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-29T14:03:42.540Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69deab4182d89c981ffdeb86
Added to database: 4/14/2026, 9:01:53 PM
Last enriched: 4/22/2026, 6:28:27 AM
Last updated: 5/31/2026, 3:56:55 AM
Views: 59
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.