Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.
Published: 2026-04-14
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via Unauthorized SVG Upload
Action: Patch
AI Analysis

Impact

October CMS stores user‑provided SVG files after sanitization. A regular expression used to strip event handler attributes can be tricked with a specially crafted payload that exploits attribute boundary detection. When a malicious SVG file containing JavaScript is uploaded through the Media Manager, the script runs whenever the file is viewed or embedded, allowing an attacker with backend upload permissions to execute arbitrary code in a superuser context, effectively achieving privilege escalation.

Affected Systems

October CMS versions older than 3.7.14 and 4.1.10 are affected. The vulnerability exists in the core SVG sanitization logic and is present in the October CMS product only.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to be authenticated with media upload rights and to trigger the SVG in a browser. Because the payload is stored and only activates upon viewing, the attack vector is authenticated file upload combined with user interaction with the compromised media.

Generated by OpenCVE AI on April 14, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade October CMS to version 3.7.14 or 4.1.10 to apply the vendor patch that fixes the SVG sanitization loopback.
  • If an upgrade cannot be performed immediately, restrict media upload permissions to trusted users only and consider disabling SVG uploads in the CMS settings.
  • Re‑review the media library and remove any SVG files containing event handler attributes that may have been uploaded prior to the patch.

Generated by OpenCVE AI on April 14, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcqv-f29m-67gr October Rain has Stored XSS via SVG Filter Bypass
History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october

Tue, 14 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.
Title October CMS has Stored XSS via SVG Filter Bypass
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:47:42.800Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25133

cve-icon Vulnrichment

Updated: 2026-04-16T13:47:38.681Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T21:16:25.330

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-25133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:41:09Z

Weaknesses