GHSA-GCQV-F29M-67GR

Vulnerability from github – Published: 2026-04-14 22:29 – Updated: 2026-04-14 22:29
VLAI?
Summary
October Rain has Stored XSS via SVG Filter Bypass
Details

A stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip on* event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries.

Impact

  • Stored XSS via malicious SVG files uploaded through the Media Manager
  • Could allow privilege escalation if a superuser views or embeds the malicious SVG
  • Requires authenticated backend access with media upload permissions (media.library.create)
  • SVG must be viewed or embedded in a page to trigger

Patches

The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.

Workarounds

If upgrading immediately is not possible: - Disable SVG uploads by adding svg to the blocked extensions in media configuration - Set media.clean_vectors to true in configuration (enabled by default)

References

  • Reported by Offensive Security Research Team
Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.9"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "october/rain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.13"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "october/rain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:29:50Z",
    "nvd_published_at": "2026-04-14T21:16:25Z",
    "severity": "MODERATE"
  },
  "details": "A stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip `on*` event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries.\n\n### Impact\n- Stored XSS via malicious SVG files uploaded through the Media Manager\n- Could allow privilege escalation if a superuser views or embeds the malicious SVG\n- Requires authenticated backend access with media upload permissions (`media.library.create`)\n- SVG must be viewed or embedded in a page to trigger\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Disable SVG uploads by adding `svg` to the blocked extensions in media configuration\n- Set `media.clean_vectors` to `true` in configuration (enabled by default)\n\n### References\n- Reported by Offensive Security Research Team",
  "id": "GHSA-gcqv-f29m-67gr",
  "modified": "2026-04-14T22:29:50Z",
  "published": "2026-04-14T22:29:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25133"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octobercms/october"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "October Rain has Stored XSS via SVG Filter Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.