Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

octobercms — Vulnerabilities & Security Advisories 39

Browse all 39 CVE security advisories affecting octobercms. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OctoberCMS is a Laravel-based content management system designed for developers seeking a flexible, self-hosted platform for building custom web applications. Its architecture relies heavily on the Laravel framework, which influences its security posture and dependency management. Historically, the platform has been associated with numerous vulnerabilities, including remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from improper input validation or insecure deserialization practices. With 39 recorded CVEs, many issues relate to outdated dependencies or misconfigured plugins rather than core framework weaknesses. Notable incidents frequently involve plugin-specific exploits that allow attackers to bypass authentication or execute arbitrary commands. The security landscape is further complicated by the fragmented nature of its plugin ecosystem, where third-party extensions may introduce unpatched risks. Users must prioritize regular updates and strict plugin vetting to mitigate these persistent threats inherent in its modular design.

Top products by octobercms: october
CVE IDTitleCVSSSeverityPublished
CVE-2026-29179 October: Editor Sub-Permission Bypass for Asset and Blueprint File Operations — octoberCWE-863 3.3 Low2026-04-21
CVE-2026-27937 October: Reflected XSS via DataTable Form Widget — octoberCWE-79 3.1 Low2026-04-21
CVE-2026-26274 October: Safe Mode Bypass via Twig Database Write Operations — octoberCWE-184 6.6 Medium2026-04-21
CVE-2026-26067 October: Safe Mode Bypass via CSS Preprocessor Compilers — octoberCWE-863 4.9 Medium2026-04-21
CVE-2026-25133 October CMS has Stored XSS via SVG Filter Bypass — octoberCWE-79 7.5 -2026-04-14
CVE-2026-25125 October CMS: Environment Variable Exfiltration via INI Parser Interpolation — octoberCWE-200 4.9 Medium2026-04-14
CVE-2026-24907 October CMS has Stored XSS via Event Log Mail Preview — octoberCWE-79 5.4 -2026-04-14
CVE-2026-24906 October CMS has Stored XSS in its Backend Editor Markup Classes — octoberCWE-79 8.2 -2026-04-14
CVE-2026-22692 October CMS: Twig Sandbox Bypass via Collection Methods — octoberCWE-693 4.9 Medium2026-04-14
CVE-2025-61674 October CMS Vulnerable to Stored XSS via Editor and Branding Styles — octoberCWE-79 6.1 Medium2026-01-10
CVE-2025-61676 October CMS Vulnerable to Stored XSS via Branding Styles — octoberCWE-79 6.1 Medium2026-01-10
CVE-2024-51991 October CMS Allows Unprotected SVG Rename in Media Manager — octoberCWE-434 4.8AIMediumAI2025-05-05
CVE-2024-25637 Reflected XSS via X-October-Request-Handler Header — octoberCWE-79 3.1 Low2024-06-26
CVE-2024-24764 October Open Redirect for Administrator Accounts — octoberCWE-601 3.5 Low2024-06-26
CVE-2023-44381 October CMS safe mode bypass using Page template injection — octoberCWE-94 4.9 Medium2023-12-01
CVE-2023-44382 October CMS safe mode bypass using Twig sandbox escape — octoberCWE-94 9.1 Critical2023-12-01
CVE-2023-44383 October CMS stored XSS by authenticated backend user with improper configuration — octoberCWE-79 5.4 Medium2023-11-29
CVE-2022-35944 October CMS Safe Mode bypass leads to authenticated RCE (Remote Code Execution) — octoberCWE-94 6.2 Medium2022-10-13
CVE-2022-24800 Race Condition in October CMS upload process — octoberCWE-362 8.1 High2022-07-12
CVE-2022-23655 Missing server signature validation in OctoberCMS — octoberCWE-347 4.8 Medium2022-02-23
CVE-2022-21705 Authenticated remote code execution in octobercms — octoberCWE-74 7.2 High2022-02-23
CVE-2021-32649 Authenticated file write leads to remote code execution in october/system — octoberCWE-74 8.8 High2022-01-14
CVE-2021-32650 Arbitrary code execution in october/system — octoberCWE-74 8.8 High2022-01-14
CVE-2021-41126 Deleted Admin Can Sign In to Admin Interface — octoberCWE-287 7.2 High2021-10-06
CVE-2021-29487 Authentication bypass in Octobercms — octoberCWE-287 7.4 High2021-08-26
CVE-2021-32648 Account Takeover in Octobercms — octoberCWE-287 8.2 High2021-08-26
CVE-2021-21264 Bypass of fix for CVE-2020-26231, Twig sandbox escape — octoberCWE-862 5.2 Medium2021-05-03
CVE-2021-21265 October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers — octoberCWE-644 6.8 Medium2021-03-10
CVE-2020-26231 Bypass of fix for CVE-2020-15247, Twig sandbox escape — octoberCWE-862 5.2 Medium2020-11-23
CVE-2020-15249 Stored XSS by authenticated backend user with access to upload files — octoberCWE-79 2.8 Low2020-11-23

This page lists every published CVE security advisory associated with octobercms. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.