Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
October CMS Platform: Malicious SVG Uploads Can Hijack User Sessions
CVE-2026-25133
GHSA-gcqv-f29m-67gr
Summary
October CMS versions 3.7.13 and earlier, and 4.1.9 and earlier, contain a security flaw that allows hackers to upload malicious SVG files through the Media Manager. If a site administrator views or embeds these files, it could lead to unauthorized access to the site's backend. Update to version 3.7.14 or 4.1.10 to fix the issue.
What to do
- Update october rain to version 4.1.10.
- Update october rain to version 3.7.14.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | october | rain |
>= 4.0.0, <= 4.1.9 <= 3.7.13 Fix: upgrade to 4.1.10
|
Original title
October Rain has Stored XSS via SVG Filter Bypass
Original description
A stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip `on*` event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries.
### Impact
- Stored XSS via malicious SVG files uploaded through the Media Manager
- Could allow privilege escalation if a superuser views or embeds the malicious SVG
- Requires authenticated backend access with media upload permissions (`media.library.create`)
- SVG must be viewed or embedded in a page to trigger
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Disable SVG uploads by adding `svg` to the blocked extensions in media configuration
- Set `media.clean_vectors` to `true` in configuration (enabled by default)
### References
- Reported by Offensive Security Research Team
### Impact
- Stored XSS via malicious SVG files uploaded through the Media Manager
- Could allow privilege escalation if a superuser views or embeds the malicious SVG
- Requires authenticated backend access with media upload permissions (`media.library.create`)
- SVG must be viewed or embedded in a page to trigger
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Disable SVG uploads by adding `svg` to the blocked extensions in media configuration
- Set `media.clean_vectors` to `true` in configuration (enabled by default)
### References
- Reported by Offensive Security Research Team
nvd CVSS4.0
4.8
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 14 Apr 2026 · Updated: 16 Apr 2026 · First seen: 14 Apr 2026