CVE-2025-61676
October CMS Vulnerable to Stored XSS via Branding Styles
Description
A cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms: - **Branding and Appearances Styles** A user with the `Customize Backend Styles` permission could inject malicious HTML/JS into the stylesheet input at *Settings → Branding & Appearance → Styles*. A specially crafted input could break out of the intended `<style>` context, allowing arbitrary script execution across backend pages for all users. --- ### Impact - Persistent XSS across the backend interface. - Exploitable by lower-privileged accounts with the above permissions. - Potential consequences include privilege escalation, session hijacking, and execution of unauthorized actions in victim sessions. --- ### Patches The vulnerability has been patched in **v4.0.12** and **v3.7.13**. Stylesheet inputs are now sanitized to prevent injection of arbitrary HTML/JS. All users are strongly encouraged to upgrade to the latest patched version. --- ### Workarounds If upgrading immediately is not possible: - Restrict the permissions `Customize Backend Styles` to fully trusted administrators only. This reduces exposure but does not fully eliminate risk. --- ### Credits - Reported by **[Nakkouch Tarek](https://github.com/nakkouchtarek)**
How to fix CVE-2025-61676
To remediate CVE-2025-61676, upgrade the affected package to a fixed version below.
- —upgrade to 3.7.13 or later
Is CVE-2025-61676 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.7.13