📦 October

October CMS has a critical vulnerability where authenticated backend users with specific editor permissions can bypass the Twig sandbox and execute arbitrary PHP code even when safe_mode is enabled. T...

CVE-2021-3311 is an authentication bypass vulnerability in October CMS where old session IDs become reactivated after a new login occurs. This allows attackers with knowledge of previously invalidated...

This vulnerability allows a local attacker to upload malicious .mp3 files containing XSS payloads to October CMS, which can then execute arbitrary JavaScript in victims' browsers when accessed. It aff...

This CVE allows authenticated users with page management permissions in OctoberCMS to bypass safe mode restrictions and execute arbitrary code through improper input sanitization. It affects admin pan...

October CMS versions before 1.0.473 and 1.1.6 contain a vulnerability where authenticated backend users with 'create, modify and delete website pages' privileges can execute arbitrary PHP code by inje...

This vulnerability allows deleted administrator accounts to still authenticate and access the October CMS backend. It affects October CMS v2.0 installations where administrator accounts have been dele...

CVE-2021-29487 is an authentication bypass vulnerability in October CMS that allows unauthenticated attackers to take over user accounts. Attackers need the Laravel secret key to exploit this vulnerab...

This vulnerability allows authenticated administrators in October CMS to bypass SVG file sanitization by uploading files with permitted extensions (like .jpg) and later renaming them to .svg. It affec...

This stored XSS vulnerability in October CMS Bloghub Plugin allows attackers to inject malicious scripts into blog comments, which then execute in visitors' browsers. Attackers can steal session cooki...