my-server
← Wiki Redirected from October (CMS)

October (software)

October is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MariaDB, MySQL, PostgreSQL, SQLite and SQL Server for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.

The platform is intended to have a small learning curve and a template system easily manageable with version control systems. As of November 2023, October is the second-most starred PHP CMS repository hosted on GitHub and is 17th most popular on the internet in open source category according to the number built.

On April 12, 2021, October CMS transitioned from using an MIT License to a proprietary software model citing concerns over a lack of sustainability with the open-source model.

Features

October offers the following features, among others:

  • Components, a key feature that are configurable building elements that can be attached to any page.
  • Building an interface requires minimal programming.
  • Flat files are used to serve the website structure.
  • Includes an Ajax framework, later released as a standalone open-source package called Larajax (see below), built in for back-end and front-end.
  • Uses Twig as template engine. This makes it possible to completely separate data from the templates.
  • File manager with CDN support and image cropping.
  • CSS and JavaScript assets can be combined and minified with just a single tag in the CMS templates.
  • The whole setup is event-driven, which enables the user to hook into core or plugin processes and extend them.
  • Updates and plugins are delivered with a package manager.
  • Community-contributed extensions in the October CMS marketplace.
  • The back-end is translated into 36 languages.

Larajax

In January 2026, with the release of October CMS v4.1, the project's built-in Ajax framework was extracted and released as an independent open-source package called Larajax, licensed under the MIT License. Larajax allows Laravel developers to call controller methods directly from HTML using a <code>data-request</code> attribute, without creating separate API routes. The package consolidates page-specific actions into a single route per page rather than requiring separate API endpoints, using an approach the developers described as having been refined over years of production use within October CMS.

The release marked a partial return to open-source distribution for the project, which had moved to a proprietary license in 2021.

Ukraine cyberattacks

From the 13th to 14th of January 2022, a known vulnerability in October CMS was used to deface the Ministry of Education and Science, the Ministry of Foreign Affairs, the Cabinet of Ministers and other Ukrainian government websites as part of the 2022 Ukraine cyberattacks. The Ukrainian Ministry of Digital Transformation announced that there was no data leak. The vulnerabilities were fixed nearly a year before the attack, although not all sites were running the latest version. Ukrainian cybersecurity agencies said the attack involved exploitation of CVE-2021-32648, a vulnerability in the October CMS, as well as the exploitation of the notorious Log4Shell flaw, and DDoS attacks.

See also

References