✅ Check your installed version
All known vulnerabilities
from 0, < 1.0.472
CRITICAL9.1CVE-2023-44382October CMS safe mode bypass using Twig sandbox escape >= 3.0.0, < 3.4.15
>= 1.1.0, < 1.1.6
HIGH8.8CVE-2021-32649October/System authenticated file write leads to remote code execution >= 1.1.0, < 1.1.6
HIGH8.1CVE-2022-24800October CMS upload process vulnerable to RCE via Race Condition from 0, < 1.0.476
from 0, < 1.0.472
HIGH7.2CVE-2022-35944October CMS Safe Mode bypass leads to authenticated Remote Code Execution >= 2.0.0, < 2.2.34
HIGH7.2CVE-2022-21705Authenticated remote code execution in October CMS from 0, < 1.0.474
>= 2.1.0, < 2.1.12
MEDIUM6.1CVE-2025-61676October CMS Vulnerable to Stored XSS via Branding Styles from 0, < 3.7.13
MEDIUM6.1CVE-2025-61674October CMS Vulnerable to Stored XSS via Editor and Branding Styles from 0, < 3.7.13
MEDIUM5.4CVE-2026-24907October CMS has Stored XSS in Event Log Mail Preview >= 4.0.0, < 4.1.10
MEDIUM5.4CVE-2026-24906October CMS has Stored XSS in Backend Editor Markup Classes >= 4.0.0, < 4.1.10
MEDIUM5.4CVE-2023-44383October CMS stored XSS by authenticated backend user with improper configuration >= 3.0.0, < 3.5.2
MEDIUM4.9CVE-2026-26067October CMS has Safe Mode Bypass via CSS Preprocessor Compilers from 0, < 3.7.14
MEDIUM4.9CVE-2023-44381October CMS safe mode bypass using Page template injection >= 3.0.0, < 3.4.15
MEDIUM4.8CVE-2022-23655Missing server signature validation in OctoberCMS >= 1.1.0, < 1.1.11
LOW3.5CVE-2024-24764October System module has an Open Redirect for Administrator Accounts >= 3.2, < 3.5.15
LOW3.3CVE-2026-29179October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations >= 4.0.0, < 4.1.16
LOW3.1CVE-2026-27937October CMS: Reflected XSS via DataTable Form Widget from 0, < 3.7.16
LOW3.1CVE-2024-25637October System module has a Reflected XSS via X-October-Request-Handler Header >= 3.2, < 3.5.15
—CVE-2024-51991October CMS Allows Unprotected SVG Rename in Media Manager from 0, < 3.7.5