Every CVE whose affected-product data names Octobercms October, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (57)
CVE-2017-1000196 — CVSS 9.8 (critical): October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly…
CVE-2021-3311 — CVSS 9.8 (critical): An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new…
CVE-2017-1000197 — CVSS 9.8 (critical): October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating malicious files on…
CVE-2017-1000194 — CVSS 9.8 (critical): October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and…
CVE-2023-44382 — CVSS 9.1 (critical): October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the…
CVE-2017-16941 — CVSS 8.8 (high): October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP…
CVE-2017-16244 — CVSS 8.8 (high): Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling…
CVE-2021-32650 — CVSS 8.8 (high): October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and…
CVE-2021-32649 — CVSS 8.8 (high): October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and…
CVE-2022-24800 — CVSS 8.1 (high): October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions…
CVE-2018-1999009 — CVSS 8.1 (high): October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244…
CVE-2023-25365 — CVSS 7.8 (high): Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type .mp3
CVE-2020-15246 — CVSS 7.5 (high): October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before…
CVE-2017-1000195 — CVSS 7.5 (high): October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by…
CVE-2021-29487 — CVSS 7.4 (high): octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit…
CVE-2021-41126 — CVSS 7.2 (high): October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator…
CVE-2017-1000119 — CVSS 7.2 (high): October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other…
CVE-2022-21705 — CVSS 7.2 (high): Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized…
CVE-2021-21265 — CVSS 6.8 (medium): October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running…
CVE-2022-35944 — CVSS 6.2 (medium): October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects…
CVE-2020-5296 — CVSS 6.2 (medium): In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to…
CVE-2025-61676 — CVSS 6.1 (medium): October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS)…
CVE-2025-61674 — CVSS 6.1 (medium): October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS)…
CVE-2020-15128 — CVSS 6.1 (medium): In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant…
CVE-2017-1000193 — CVSS 6.1 (medium): October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the…
CVE-2026-24907 — CVSS 5.4 (medium): October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting…
CVE-2024-25837 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in October CMS Bloghub Plugin v1.3.8 and lower allows attackers to execute arbitrary web…
CVE-2015-5613 — CVSS 5.4 (medium): Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or…
CVE-2023-44383 — CVSS 5.4 (medium): October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager…
CVE-2023-43876 — CVSS 5.4 (medium): A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a…
CVE-2026-24906 — CVSS 5.4 (medium): October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting…
CVE-2018-1999008 — CVSS 5.4 (medium): October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder…
CVE-2017-15284 — CVSS 5.4 (medium): Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing…
CVE-2023-37692 — CVSS 5.4 (medium): An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file.
CVE-2020-15247 — CVSS 5.2 (medium): October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before…
CVE-2020-26231 — CVSS 5.2 (medium): October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469…
CVE-2021-21264 — CVSS 5.2 (medium): October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 (fixed in…
CVE-2023-44381 — CVSS 4.9 (medium): October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the…
CVE-2024-51991 — CVSS 4.9 (medium): October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated…
CVE-2026-22692 — CVSS 4.9 (medium): October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox…
CVE-2026-25125 — CVSS 4.9 (medium): October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information…
CVE-2022-23655 — CVSS 4.8 (medium): Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway…
CVE-2026-25133 — CVSS 4.8 (medium): October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting…
CVE-2020-5295 — CVSS 4.8 (medium): In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to…
CVE-2024-45962 — CVSS 4.7 (medium): October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the…
CVE-2015-5612 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or…
CVE-2020-5298 — CVSS 4.0 (medium): In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import…
CVE-2020-15248 — CVSS 4.0 (medium): October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before…
CVE-2020-5299 — CVSS 4.0 (medium): In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data…
CVE-2020-4061 — CVSS 3.7 (low): In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could…
CVE-2024-24764 — CVSS 3.5 (low): October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be…
CVE-2020-11083 — CVSS 3.5 (low): In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could…
CVE-2020-5297 — CVSS 3.4 (low): In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to…
CVE-2024-25637 — CVSS 3.1 (low): October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX…
CVE-2020-15249 — CVSS 2.8 (low): October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before…