GHSA-WVPQ-H33F-8RP6

Vulnerability from github – Published: 2026-01-09 20:12 – Updated: 2026-01-09 20:12
VLAI?
Summary
October CMS Vulnerable to Stored XSS via Branding Styles
Details

A cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms:

  • Branding and Appearances Styles
    A user with the Customize Backend Styles permission could inject malicious HTML/JS into the stylesheet input at
    Settings → Branding & Appearance → Styles.

A specially crafted input could break out of the intended <style> context, allowing arbitrary script execution across backend pages for all users.

Impact

  • Persistent XSS across the backend interface.
  • Exploitable by lower-privileged accounts with the above permissions.
  • Potential consequences include privilege escalation, session hijacking, and execution of unauthorized actions in victim sessions.

Patches

The vulnerability has been patched in v4.0.12 and v3.7.13.
Stylesheet inputs are now sanitized to prevent injection of arbitrary HTML/JS.

All users are strongly encouraged to upgrade to the latest patched version.

Workarounds

If upgrading immediately is not possible:
- Restrict the permissions Customize Backend Styles to fully trusted administrators only.

This reduces exposure but does not fully eliminate risk.

Credits

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.12"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.11"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-09T20:12:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms:\n\n- **Branding and Appearances Styles**  \n   A user with the `Customize Backend Styles` permission could inject malicious HTML/JS into the stylesheet input at  \n   *Settings \u2192 Branding \u0026 Appearance \u2192 Styles*.  \n\nA specially crafted input could break out of the intended `\u003cstyle\u003e` context, allowing arbitrary script execution across backend pages for all users.\n\n---\n\n### Impact\n- Persistent XSS across the backend interface.  \n- Exploitable by lower-privileged accounts with the above permissions.  \n- Potential consequences include privilege escalation, session hijacking, and execution of unauthorized actions in victim sessions.\n\n---\n\n### Patches\nThe vulnerability has been patched in **v4.0.12** and **v3.7.13**.  \nStylesheet inputs are now sanitized to prevent injection of arbitrary HTML/JS.  \n\nAll users are strongly encouraged to upgrade to the latest patched version.\n\n---\n\n### Workarounds\nIf upgrading immediately is not possible:  \n- Restrict the permissions `Customize Backend Styles` to fully trusted administrators only.  \n\nThis reduces exposure but does not fully eliminate risk.\n\n---\n\n### Credits\n- Reported by **[Nakkouch Tarek](https://github.com/nakkouchtarek)**",
  "id": "GHSA-wvpq-h33f-8rp6",
  "modified": "2026-01-09T20:12:24Z",
  "published": "2026-01-09T20:12:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-wvpq-h33f-8rp6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octobercms/october"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "October CMS Vulnerable to Stored XSS via Branding Styles"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.