CVE-2026-25133
MEDIUM4.8EPSS 0.01%October Rain has Stored XSS via SVG Filter Bypass
Description
A stored cross-site scripting (XSS) vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip `on*` event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries. ### Impact - Stored XSS via malicious SVG files uploaded through the Media Manager - Could allow privilege escalation if a superuser views or embeds the malicious SVG - Requires authenticated backend access with media upload permissions (`media.library.create`) - SVG must be viewed or embedded in a page to trigger ### Patches The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version. ### Workarounds If upgrading immediately is not possible: - Disable SVG uploads by adding `svg` to the blocked extensions in media configuration - Set `media.clean_vectors` to `true` in configuration (enabled by default) ### References - Reported by Pentest-Tools.com
Affected packages (1)
- Packagist/october/rain>= 4.0.0, < 4.1.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |