{"package":"october/system","ecosystem":"composer","latest_version":"v1.1.12","description":"System module for October CMS","license":"MIT","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://octobercms.com","repository":"https://github.com/octoberrain/system","downloads_weekly":0,"health":{"score":33,"risk":"critical","breakdown":{"maintenance":0,"popularity":0,"security":15,"maturity":15,"community":3},"deprecated":false,"max_score":100},"vulnerabilities":{"count":8,"critical":0,"high":0,"medium":5,"low":3,"details":[{"vuln_id":"CVE-2026-26067","severity":"medium","summary":"October CMS has Safe Mode Bypass via CSS Preprocessor Compilers","affected_versions":"<3.7.14|>=4.0.0,<4.1.10|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9","fixed_version":"4.1.10","source":"osv","published_at":"2026-04-21T16:43:49Z","in_kev":false,"epss_prob":0.00049,"epss_percentile":0.15104,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-24906","severity":"medium","summary":"October CMS has Stored XSS in Backend Editor Markup Classes","affected_versions":">=4.0.0,<4.1.10|<3.7.14|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9","fixed_version":"3.7.14","source":"osv","published_at":"2026-04-14T20:02:31Z","in_kev":false,"epss_prob":0.00011,"epss_percentile":0.0134,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-51991","severity":"low","summary":"October CMS Allows Unprotected SVG Rename in Media Manager","affected_versions":"<3.7.5|<3.7.5|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9|=v2.0.0|=v2.0.10|=v2.0.13|=v2.0.14|=v2.0.15|=v2.0.16|=v2.0.27|=v2.0.29|=v2.0.3|=v2.1.0|=v2.1.10|=v2.1.12|=v2.1.16|=v2.1.20|=v2.1.21|=v2.1.22|=v2.1.23|=v2.1.24|=v2.1.25|=v2.1.26|=v2.1.27|=v2.1.29|=v2.1.3|=v2.1.5|=v2.1.6|=v2.1.8|=v2.2.0|=v2.2.10|=v2.2.32|=v2.2.6|=v2.2.9|=v3.0.0|=v3.0.10|=v3.0.17|=v3.0.2|=v3.0.22|=v3.0.40|=v3.0.42|=v3.0.45|=v3.0.46|=v3.0.56|=v3.0.6|=v3.0.61|=v3.0.62|=v3.0.7|=v3.0.74|=v3.0.9|=v3.1.0|=v3.1.1|=v3.1.12|=v3.1.14|=v3.1.22|=v3.1.26|=v3.2.0|=v3.2.11|=v3.3.0|=v3.3.11|=v3.3.3|=v3.3.7|=v3.3.9|=v3.4.0|=v3.4.1|=v3.4.10|=v3.4.14|=v3.4.6|=v3.4.9|=v3.5.0|=v3.5.1|=v3.5.2|=v3.5.4|=v3.5.7|=v3.5.8|=v3.6.0|=v3.6.1|=v3.6.4|=v3.7.0|=v3.7.3","fixed_version":"3.7.5","source":"osv","published_at":"2025-05-05T14:55:41Z","in_kev":false,"epss_prob":0.00313,"epss_percentile":0.54386,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-61674","severity":"medium","summary":"October CMS Vulnerable to Stored XSS via Editor and Branding Styles","affected_versions":"<3.7.13|>=4.0.0,<4.0.12|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9","fixed_version":"4.0.12","source":"osv","published_at":"2026-01-09T18:12:58Z","in_kev":false,"epss_prob":0.0005,"epss_percentile":0.15389,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-24907","severity":"medium","summary":"October CMS has Stored XSS in Event Log Mail Preview","affected_versions":">=4.0.0,<4.1.10|<3.7.14|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9","fixed_version":"3.7.14","source":"osv","published_at":"2026-04-14T20:02:50Z","in_kev":false,"epss_prob":0.00032,"epss_percentile":0.09126,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-27937","severity":"low","summary":"October CMS: Reflected XSS via DataTable Form Widget","affected_versions":"<3.7.16|>=4.0.0|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9","fixed_version":"3.7.16","source":"osv","published_at":"2026-04-21T17:15:21Z","in_kev":false,"epss_prob":0.00033,"epss_percentile":0.09527,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-29179","severity":"low","summary":"October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations","affected_versions":">=4.0.0,<4.1.16|<3.7.16|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9","fixed_version":"3.7.16","source":"osv","published_at":"2026-04-21T17:15:38Z","in_kev":false,"epss_prob":0.0003,"epss_percentile":0.08655,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-61676","severity":"medium","summary":"October CMS Vulnerable to Stored XSS via Branding Styles","affected_versions":"<3.7.13|>=4.0.0,<4.0.12|=v1.0.319|=v1.0.320|=v1.0.321|=v1.0.322|=v1.0.323|=v1.0.324|=v1.0.325|=v1.0.326|=v1.0.327|=v1.0.328|=v1.0.329|=v1.0.330|=v1.0.331|=v1.0.332|=v1.0.333|=v1.0.334|=v1.0.335|=v1.0.336|=v1.0.337|=v1.0.338|=v1.0.339|=v1.0.340|=v1.0.341|=v1.0.342|=v1.0.343|=v1.0.344|=v1.0.345|=v1.0.346|=v1.0.347|=v1.0.348|=v1.0.349|=v1.0.350|=v1.0.351|=v1.0.352|=v1.0.353|=v1.0.354|=v1.0.355|=v1.0.356|=v1.0.357|=v1.0.358|=v1.0.359|=v1.0.360|=v1.0.361|=v1.0.362|=v1.0.363|=v1.0.364|=v1.0.365|=v1.0.366|=v1.0.367|=v1.0.368|=v1.0.369|=v1.0.370|=v1.0.371|=v1.0.372|=v1.0.373|=v1.0.374|=v1.0.375|=v1.0.376|=v1.0.377|=v1.0.378|=v1.0.379|=v1.0.380|=v1.0.381|=v1.0.382|=v1.0.383|=v1.0.384|=v1.0.385|=v1.0.386|=v1.0.387|=v1.0.388|=v1.0.389|=v1.0.390|=v1.0.391|=v1.0.392|=v1.0.393|=v1.0.394|=v1.0.395|=v1.0.396|=v1.0.397|=v1.0.398|=v1.0.399|=v1.0.400|=v1.0.401|=v1.0.402|=v1.0.403|=v1.0.404|=v1.0.405|=v1.0.406|=v1.0.407|=v1.0.408|=v1.0.409|=v1.0.410|=v1.0.411|=v1.0.412|=v1.0.413|=v1.0.414|=v1.0.415|=v1.0.416|=v1.0.417|=v1.0.418|=v1.0.419|=v1.0.420|=v1.0.421|=v1.0.422|=v1.0.423|=v1.0.424|=v1.0.425|=v1.0.426|=v1.0.427|=v1.0.428|=v1.0.429|=v1.0.430|=v1.0.431|=v1.0.432|=v1.0.433|=v1.0.434|=v1.0.435|=v1.0.436|=v1.0.437|=v1.0.438|=v1.0.439|=v1.0.440|=v1.0.441|=v1.0.442|=v1.0.443|=v1.0.444|=v1.0.445|=v1.0.446|=v1.0.447|=v1.0.448|=v1.0.449|=v1.0.450|=v1.0.451|=v1.0.452|=v1.0.453|=v1.0.454|=v1.0.455|=v1.0.456|=v1.0.457|=v1.0.458|=v1.0.459|=v1.0.460|=v1.0.461|=v1.0.462|=v1.0.463|=v1.0.464|=v1.0.465|=v1.0.466|=v1.0.467|=v1.0.468|=v1.0.469|=v1.0.470|=v1.0.471|=v1.0.472|=v1.0.473|=v1.0.474|=v1.0.475|=v1.0.476|=v1.1.0|=v1.1.1|=v1.1.10|=v1.1.11|=v1.1.12|=v1.1.2|=v1.1.3|=v1.1.4|=v1.1.5|=v1.1.6|=v1.1.9","fixed_version":"4.0.12","source":"osv","published_at":"2026-01-09T20:12:24Z","in_kev":false,"epss_prob":0.0005,"epss_percentile":0.15389,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"v1.1.12","total_count":169,"recent":["v1.1.12","v1.1.11","v1.1.10","v1.1.9","v1.1.6","v1.1.5","v1.1.4","v1.1.3","v1.1.2","v1.1.1","v1.1.0","v1.0.476","v1.0.475","v1.0.474","v1.0.473","v1.0.472","v1.0.471","v1.0.470","v1.0.469","v1.0.468"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":2,"first_published":null,"last_published":"2022-02-20T01:54:45+00:00","dependencies_count":2,"dependencies":["php","composer/installers"]},"github_stats":null,"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"use_with_caution","issues":["Low health score (33/100)"],"use_version":"v1.1.12","version_hint":"Update to >= 4.0.12 to fix known vulnerabilities","summary":"october/system@v1.1.12 low health (33/100) — consider alternatives"},"version_scoped":null,"requested_version":null,"_cache":"miss","_response_ms":1570,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"version_history_summary":{"total_versions":20,"first_release_age_days":3683,"last_release_days_ago":1532,"avg_days_between_releases":194,"release_velocity":"stale"}}