| CVE-2021-32648 |
unknown |
— |
1.5 |
|
|
|
5y ago |
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. |
| CVE-2026-29179 |
unknown |
— |
— |
|
|
|
1mo ago |
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations |
| CVE-2026-27937 |
unknown |
— |
— |
|
|
|
1mo ago |
October CMS: Reflected XSS via DataTable Form Widget |
| CVE-2026-26067 |
unknown |
— |
— |
|
|
|
1mo ago |
October CMS has Safe Mode Bypass via CSS Preprocessor Compilers |
| CVE-2026-24907 |
unknown |
— |
— |
|
|
|
2mo ago |
October CMS has Stored XSS in Event Log Mail Preview |
| CVE-2026-24906 |
unknown |
— |
— |
|
|
|
2mo ago |
October CMS has Stored XSS in Backend Editor Markup Classes |
| CVE-2025-61676 |
unknown |
— |
— |
|
|
|
5mo ago |
October CMS Vulnerable to Stored XSS via Branding Styles |
| CVE-2025-61674 |
unknown |
— |
— |
|
|
|
5mo ago |
October CMS Vulnerable to Stored XSS via Editor and Branding Styles |
| CVE-2024-51991 |
unknown |
— |
— |
|
|
|
1y ago |
October CMS Allows Unprotected SVG Rename in Media Manager |
| CVE-2024-24764 |
unknown |
— |
— |
|
|
|
2y ago |
October System module has an Open Redirect for Administrator Accounts |
| CVE-2024-25637 |
unknown |
— |
— |
|
|
|
2y ago |
October System module has a Reflected XSS via X-October-Request-Handler Header |
| CVE-2023-44383 |
unknown |
— |
— |
|
|
|
3y ago |
October CMS stored XSS by authenticated backend user with improper configuration |
| CVE-2023-44382 |
unknown |
— |
— |
|
|
|
3y ago |
October CMS safe mode bypass using Twig sandbox escape |
| CVE-2023-44381 |
unknown |
— |
— |
|
|
|
3y ago |
October CMS safe mode bypass using Page template injection |
| CVE-2022-35944 |
unknown |
— |
— |
|
|
|
4y ago |
October CMS Safe Mode bypass leads to authenticated Remote Code Execution |
| CVE-2022-24800 |
unknown |
— |
— |
|
|
|
4y ago |
October CMS upload process vulnerable to RCE via Race Condition |
| CVE-2022-23655 |
unknown |
— |
— |
|
|
|
4y ago |
Missing server signature validation in OctoberCMS |
| CVE-2022-21705 |
unknown |
— |
— |
|
|
|
4y ago |
Authenticated remote code execution in October CMS |
| CVE-2021-32650 |
unknown |
— |
— |
|
|
|
4y ago |
october/system arbitrary code execution |
| CVE-2021-32649 |
unknown |
— |
— |
|
|
|
4y ago |
October/System authenticated file write leads to remote code execution |
| CVE-2021-41126 |
unknown |
— |
— |
|
|
|
5y ago |
Deleted Admin Can Sign In to Admin Interface |
| CVE-2021-29487 |
unknown |
— |
— |
|
|
|
5y ago |
October CMS auth bypass and account takeover |
