october/system
Packagist19 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting october/systempage 1 of 1
- CVE-2021-29487HIGHCVSS 7.4EG 7.4✓ Fixed in 1.1.52021-08-26
vulnerable: v1.1.1, v1.1.2, v1.1.3, v1.1.4
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS serv…
- CVE-2021-32648HIGHCVSS 8.2EG 9.0⚠ KEV✓ Fixed in 1.1.52021-08-26
vulnerable: v1.1.1, v1.1.2, v1.1.3, v1.1.4
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. Th…
- CVE-2021-32649HIGHCVSS 8.8EG 8.8✓ Fixed in 1.0.4732022-01-14
vulnerable: v1.0.319 ... v1.0.472 (154 versions)
October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to …
- CVE-2021-32650HIGHCVSS 8.8EG 8.8✓ Fixed in 1.0.4732022-01-14
vulnerable: v1.0.319 ... v1.0.472 (154 versions)
October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import fea…
- CVE-2021-41126HIGHCVSS 7.2EG 7.2✓ Fixed in 2.1.122021-10-06
October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October C…
- CVE-2022-21705HIGHCVSS 7.2EG 7.2✓ Fixed in 2.1.272022-02-23
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages…
- CVE-2022-23655MEDIUMCVSS 4.8EG 4.8✓ Fixed in 1.0.4752022-02-24
vulnerable: v1.0.319 ... v1.0.474 (156 versions)
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private k…
- CVE-2022-24800HIGHCVSS 8.1EG 8.1✓ Fixed in 2.2.152022-07-12
October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fro…
- CVE-2022-35944MEDIUMCVSS 6.2EG 6.2✓ Fixed in 3.0.662022-10-13
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the a…
- CVE-2023-44381MEDIUMCVSS 4.9EG 4.9✓ Fixed in 3.4.152023-12-01
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not…
- CVE-2023-44382CRITICALCVSS 9.1EG 9.1✓ Fixed in 3.4.152023-12-01
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not…
- CVE-2023-44383MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.5.22023-11-29
October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with ac…
- CVE-2024-24764LOWCVSS 3.5EG 3.5✓ Fixed in 3.5.152024-06-26
October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema …
- CVE-2024-25637LOWCVSS 3.1EG 3.1✓ Fixed in 3.5.152024-06-26
October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerabil…
- CVE-2026-24906MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.7.142026-04-14
vulnerable: v1.0.319 ... v1.1.9 (169 versions)
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styl…
- CVE-2026-24907MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.7.142026-04-14
vulnerable: v1.0.319 ... v1.1.9 (169 versions)
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML con…
- CVE-2026-26067MEDIUMCVSS 4.9EG 4.9✓ Fixed in 4.1.102026-04-21
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions c…
- CVE-2026-27937LOWCVSS 3.1EG 3.12026-04-21
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without pro…
- CVE-2026-29179LOWCVSS 3.3EG 3.3✓ Fixed in 3.7.162026-04-21
vulnerable: v1.0.319 ... v1.1.9 (169 versions)
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affe…
Check whether october/system is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for october/system CVEs against the assets you own.
Start Free Scan →