XSS in Octobercms October

CVE-2026-25133

October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attri…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (0.9th percentile) — read the EPSS interpretation.