Octobercms October
50 CVEs affecting Octobercms October. Latest disclosed: 2026-04-21. Critical: 4, High: 12.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-1000197 | Critical | 9.8 | 2017-11-17 | October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating malicious files on the server. |
CVE-2017-1000196 | Critical | 9.8 | 2017-11-17 | October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly other applications on th… |
CVE-2017-1000194 | Critical | 9.8 | 2017-11-17 | October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applicat… |
CVE-2023-44382 | Critical | 9.1 | 2023-12-01 | October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `… |
CVE-2021-32649 | High | 8.8 | 2022-01-14 | October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with… |
CVE-2021-32650 | High | 8.8 | 2022-01-14 | October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with… |
CVE-2017-16941 | High | 8.8 | 2017-11-25 | October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a… |
CVE-2017-16244 | High | 8.8 | 2017-11-01 | Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker t… |
CVE-2021-32648 | High | 8.2 | 2021-08-26 | octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password… |
CVE-2022-24800 | High | 8.1 | 2022-07-12 | October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2… |
CVE-2020-15246 | High | 7.5 | 2020-11-23 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an… |
CVE-2017-1000195 | High | 7.5 | 2017-11-17 | October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the… |
CVE-2021-29487 | High | 7.4 | 2021-08-26 | octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability… |
CVE-2022-21705 | High | 7.2 | 2022-02-23 | Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An au… |
CVE-2021-41126 | High | 7.2 | 2021-10-06 | October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had pre… |
CVE-2017-1000119 | High | 7.2 | 2017-10-05 | October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the… |
CVE-2021-21265 | Medium | 6.8 | 2021-03-10 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured… |
CVE-2026-26274 | Medium | 6.6 | 2026-04-21 | October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy t… |
CVE-2022-35944 | Medium | 6.2 | 2022-10-13 | October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely o… |
CVE-2020-5296 | Medium | 6.2 | 2020-06-03 | In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local… |