Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

october — Vulnerabilities & Security Advisories 41

All 41 CVE vulnerabilities found in october, with AI-generated Chinese analysis, references, and POCs.

This page documents security vulnerabilities within the October platform, focusing on common weakness classifications and specific product tags. It aggregates a comprehensive collection of vulnerabilities, including remote code execution, cross-site scripting, and authentication bypass flaws, covering data from the initial public release through the most recent critical updates. By examining this curated repository, researchers and administrators can efficiently track a vendor’s advisory history to monitor patch progression and response times. Users can also deepen their understanding of a specific weakness class by observing how similar flaws manifest across different versions and configurations of the software. Additionally, the page provides a detailed lookup for a product’s complete vulnerability history, allowing stakeholders to assess long-term security trends and potential risks associated with legacy deployments. This centralized resource eliminates the need to search multiple external databases, offering a clear view of the product’s security posture over time. It serves as a factual reference for identifying patterns in defect reporting and validating the effectiveness of current mitigation strategies against known attack vectors.

Vendor: October CMS

CVE IDTitleCVSSSeverityPublished
CVE-2026-29179 October: Editor Sub-Permission Bypass for Asset and Blueprint File Operations CWE-863 3.3 Low2026-04-21
CVE-2026-27937 October: Reflected XSS via DataTable Form Widget CWE-79 3.1 Low2026-04-21
CVE-2026-26274 October: Safe Mode Bypass via Twig Database Write Operations CWE-184 6.6 Medium2026-04-21
CVE-2026-26067 October: Safe Mode Bypass via CSS Preprocessor Compilers CWE-863 4.9 Medium2026-04-21
CVE-2026-25133 October CMS has Stored XSS via SVG Filter Bypass CWE-79 7.5 -2026-04-14
CVE-2026-25125 October CMS: Environment Variable Exfiltration via INI Parser Interpolation CWE-200 4.9 Medium2026-04-14
CVE-2026-24907 October CMS has Stored XSS via Event Log Mail Preview CWE-79 5.4 -2026-04-14
CVE-2026-24906 October CMS has Stored XSS in its Backend Editor Markup Classes CWE-79 8.2 -2026-04-14
CVE-2026-22692 October CMS: Twig Sandbox Bypass via Collection Methods CWE-693 4.9 Medium2026-04-14
CVE-2025-61674 October CMS Vulnerable to Stored XSS via Editor and Branding Styles CWE-79 6.1 Medium2026-01-10
CVE-2025-61676 October CMS Vulnerable to Stored XSS via Branding Styles CWE-79 6.1 Medium2026-01-10
CVE-2024-51991 October CMS Allows Unprotected SVG Rename in Media Manager CWE-434 4.8AIMediumAI2025-05-05
CVE-2024-25637 Reflected XSS via X-October-Request-Handler Header CWE-79 3.1 Low2024-06-26
CVE-2024-24764 October Open Redirect for Administrator Accounts CWE-601 3.5 Low2024-06-26
CVE-2023-44381 October CMS safe mode bypass using Page template injection CWE-94 4.9 Medium2023-12-01
CVE-2023-44382 October CMS safe mode bypass using Twig sandbox escape CWE-94 9.1 Critical2023-12-01
CVE-2023-44383 October CMS stored XSS by authenticated backend user with improper configuration CWE-79 5.4 Medium2023-11-29
CVE-2022-35944 October CMS Safe Mode bypass leads to authenticated RCE (Remote Code Execution) CWE-94 6.2 Medium2022-10-13
CVE-2022-24800 Race Condition in October CMS upload process CWE-362 8.1 High2022-07-12
CVE-2022-23655 Missing server signature validation in OctoberCMS CWE-347 4.8 Medium2022-02-23
CVE-2022-21705 Authenticated remote code execution in octobercms CWE-74 7.2 High2022-02-23
CVE-2021-32649 Authenticated file write leads to remote code execution in october/system CWE-74 8.8 High2022-01-14
CVE-2021-32650 Arbitrary code execution in october/system CWE-74 8.8 High2022-01-14
CVE-2021-41126 Deleted Admin Can Sign In to Admin Interface CWE-287 7.2 High2021-10-06
CVE-2021-29487 Authentication bypass in Octobercms CWE-287 7.4 High2021-08-26
CVE-2021-32648 Account Takeover in Octobercms CWE-287 8.2 High2021-08-26
CVE-2021-21264 Bypass of fix for CVE-2020-26231, Twig sandbox escape CWE-862 5.2 Medium2021-05-03
CVE-2021-21265 October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers CWE-644 6.8 Medium2021-03-10
CVE-2020-26231 Bypass of fix for CVE-2020-15247, Twig sandbox escape CWE-862 5.2 Medium2020-11-23
CVE-2020-15249 Stored XSS by authenticated backend user with access to upload files CWE-79 2.8 Low2020-11-23

All 41 known CVE vulnerabilities affecting october with full Chinese analysis, references, and POCs where available.