october/rain

Packagist6 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting october/rainpage 1 of 1

CVE-2017-15284MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.0.426
2017-10-12
vulnerable: v1.0.319 ... v1.0.425 (107 versions)
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execu…
CVE-2020-15128MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.0.468
2020-07-31
vulnerable: v1.0.319 ... v1.0.467 (149 versions)
In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing…
CVE-2021-3311CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.1.2
2021-02-05
vulnerable: v1.1.0, v1.1.1
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admitted…
CVE-2026-22692MEDIUMCVSS 4.9EG 4.9✓ Fixed in 3.7.13
2026-04-14
vulnerable: v1.0.319 ... v3.7.8 (342 versions)
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the …
CVE-2026-25125MEDIUMCVSS 4.9EG 4.9✓ Fixed in 3.7.14
2026-04-14
vulnerable: v1.0.319 ... v3.7.8 (343 versions)
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${…
CVE-2026-25133MEDIUMCVSS 4.8EG 4.8✓ Fixed in 3.7.14
2026-04-14
vulnerable: v1.0.319 ... v3.7.8 (343 versions)
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attri…

Check whether october/rain is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for october/rain CVEs against the assets you own.

Start Free Scan →