Vulnerability Description
October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users. This issue has been patched in versions 3.7.13 and 4.0.12.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Octobercms | October | < 3.17.3 |
Related Weaknesses (CWE)
References
- https://github.com/octobercms/october/security/advisories/GHSA-gxxc-m74c-f48xPatchVendor Advisory
FAQ
What is CVE-2025-61674?
CVE-2025-61674 is a vulnerability with a CVSS score of 6.1 (MEDIUM). October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms...
How severe is CVE-2025-61674?
CVE-2025-61674 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-61674?
Check the references section above for vendor advisories and patch information. Affected products include: Octobercms October.