october/rain Security Advisories for v1.0.409 (6)
-
[MEDIUM] October Rain has Stored XSS via SVG Filter Bypass
PKSA-22sk-dxft-df3d CVE-2026-25133 GHSA-gcqv-f29m-67gr
Affected version: <=3.7.13|>=4.0.0,<=4.1.9
Reported by:
GitHub -
[MEDIUM] October Rain has Environment Variable Exfiltration via INI Parser Interpolation
PKSA-qst9-2ky5-dhpn CVE-2026-25125 GHSA-g6v3-wv4j-x9hg
Affected version: <=3.7.13|>=4.0.0,<=4.1.9
Reported by:
GitHub -
[MEDIUM] October Rain has a Twig Sandbox Bypass via Collection Methods
PKSA-7hg1-vmz2-j7w6 CVE-2026-22692 GHSA-m5qg-jc75-4jp6
Affected version: <=3.7.12|>=4.0.0,<=4.1.4
Reported by:
GitHub -
[MEDIUM] OctoberCMS Cross-Site Scripting
PKSA-ybjk-32sz-v9ns CVE-2017-15284 GHSA-gvgf-fp4m-2hw6
Affected version: <1.0.426
Reported by:
GitHub -
[CRITICAL] October CMS Session ID not invalidated after logout
PKSA-gvvr-k6pk-nfpz CVE-2021-3311 GHSA-7ggw-h8pp-r95r
Affected version: >=1.1.0,<1.1.2|<1.0.472
Reported by:
GitHub -
[MEDIUM] Reliance on Cookies without validation in OctoberCMS
PKSA-sq51-nv4y-j4xf CVE-2020-15128 GHSA-55mm-5399-7r63
Affected version: >=1.0.319,<1.0.468
Reported by:
GitHub