october · threatengine.sh

CVE-2026-25133

<= 3.7.13

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scr

4.8MEDIUM

CVE-2026-25125

< 3.7.14

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side informati

4.9MEDIUM

CVE-2026-24907

<= 3.7.13

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scr

5.4MEDIUM

CVE-2026-24906

<= 3.7.13

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scr

5.4MEDIUM

CVE-2026-22692

< 3.7.13

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a

4.9MEDIUM

CVE-2025-61676

< 3.7.13

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) v

6.1MEDIUM

CVE-2025-61674

< 3.17.3

October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) v

6.1MEDIUM

CVE-2024-51991

< 3.7.5

October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated ad

4.9MEDIUM

CVE-2024-45962

all versions

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system.

4.7MEDIUM

CVE-2024-25837

<= 1.3.8

A stored cross-site scripting (XSS) vulnerability in October CMS Bloghub Plugin v1.3.8 and lower allows attackers to execute arbit

5.4MEDIUM

CVE-2024-25637

>= 3.2.0 and < 3.5.15

October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize t

3.1LOW

CVE-2024-24764

>= 3.2.0 and < 3.5.15

October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may

3.5LOW

CVE-2023-25365

all versions

Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type

7.8HIGH

CVE-2023-44382

>= 3.0.0 and < 3.4.15

October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user w

9.1CRITICAL

CVE-2023-44381

>= 3.0.0 and < 3.4.15

October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user w

4.9MEDIUM

CVE-2023-44383

>= 3.0.0 and < 3.5.2

October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media

5.4MEDIUM

CVE-2023-43876

all versions

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts

5.4MEDIUM

CVE-2023-37692

all versions

An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file.

5.4MEDIUM

CVE-2022-35944

< 2.2.34

October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affe

6.2MEDIUM

CVE-2022-24800

< 1.0.476

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versi

8.1HIGH

CVE-2022-23655

< 1.0.475

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gate

4.8MEDIUM

CVE-2022-21705

< 1.0.474

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sani

7.2HIGH

CVE-2021-32650

all versions

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.47

8.8HIGH

CVE-2021-32649

< 1.0.473

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.47

8.8HIGH

CVE-2021-41126

>= 2.0.0 and < 2.1.12

October is a Content Management System (CMS) and web platform built on the Laravel PHP Framework. In affected versions adminis

7.2HIGH

CVE-2021-32648

>= 1.1.1 and < 1.1.5

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker ca

8.2HIGH

CVE-2021-29487

>= 1.0.471 and < 1.0.472

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker ca

7.4HIGH

CVE-2021-21264

<= 1.0.471

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 (fixed in

5.2MEDIUM

CVE-2021-21265

< 1.1.2

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when

6.8MEDIUM

CVE-2021-3311

<= 1.0.471

An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) onc

9.8CRITICAL

CVE-2020-26231

all versions

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in

5.2MEDIUM

CVE-2020-15249

>= 1.0.319 and < 1.0.469

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 a

2.8LOW

CVE-2020-15248

>= 1.0.319 and < 1.0.469

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 a

4.0MEDIUM

CVE-2020-15247

>= 1.0.319 and < 1.0.469

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 a

5.2MEDIUM

CVE-2020-15246

>= 1.0.421 and < 1.0.469

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 a

7.5HIGH

CVE-2020-15128

< 1.0.468

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This

6.1MEDIUM

CVE-2020-11083

>= 1.0.319 and < 1.0.466

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persisten

3.5LOW

CVE-2020-4061

>= 1.0.319 and < 1.0.467

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richedi

3.7LOW

CVE-2020-5299

>= 1.0.319 and < 1.0.466

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify an

4.0MEDIUM

CVE-2020-5298

>= 1.0.319 and < 1.0.466

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the impo

4.0MEDIUM

CVE-2020-5297

>= 1.0.319 and < 1.0.466

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerabil

3.4LOW

CVE-2020-5296

>= 1.0.319 and < 1.0.466

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerabil

6.2MEDIUM

CVE-2020-5295

>= 1.0.319 and < 1.0.466

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerabil

4.8MEDIUM

CVE-2018-1999009

all versions

October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (m

8.1HIGH

CVE-2018-1999008

< 1.0.437

October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder f

5.4MEDIUM

CVE-2018-7198

<= 1.0.431

October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page.

6.1MEDIUM

CVE-2017-16941

<= 1.0.428

October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitr

8.8HIGH

CVE-2017-1000197

<= 1.0.412

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating malicious

9.8CRITICAL

CVE-2017-1000196

<= 1.0.412

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and poss

9.8CRITICAL

CVE-2017-1000195

<= 1.0.412

October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limit

7.5HIGH

CVE-2017-1000194

<= 1.0.412

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromis

9.8CRITICAL

CVE-2017-1000193

<= 1.0.412

October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in t

6.1MEDIUM

CVE-2017-16244

all versions

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback han

8.8HIGH

CVE-2017-15284

all versions

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containi

5.4MEDIUM

CVE-2017-1000119

all versions

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possib

7.2HIGH

CVE-2015-5613

all versions

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web scri

5.4MEDIUM

CVE-2015-5612

all versions

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web scri

octobercms october