KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

8.2

CVSS
High

CVE-2021-32648

PUBLISHED

Account Takeover in Octobercms

Exploited in the wild Remote Low complexity No user interaction

Vendor: octobercms
Product: october
Published: Aug 26, 2021
EPSS: —

Description

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

php cisa nuclei_scanner

CVSS scores

CVSS v3.1 8.2 High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Exploitation status

Exploited in the wild

Recorded 2022-01-18 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: Yes
Technical impact: partial

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Jan 18, 2022
CISA	Jan 18, 2022

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-32648.yaml	Jun 01, 2026

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

Immersive-Labs-Sec/CVE-2021-32648

github · Created 2022-01-14 15:50:11 UTC · 12 stars

Proof Of Concept code for OctoberCMS Auth Bypass CVE-2021-32648

Timeline

CVE ID Reserved

May 12, 2021
CVE Published to Public

August 26, 2021
Added to KEVIntel

January 18, 2022
Added to KEVIntel

January 18, 2022
Detected by Nuclei

June 01, 2026