Description
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only.
Published: 2026-04-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of template sandbox allowing arbitrary template execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from the optional Twig safe mode (CMS_SAFE_MODE) in October CMS. Certain methods on the collect() helper were not properly restricted, enabling authenticated users with template editing permissions to bypass sandbox protections. This bypass permits the execution of arbitrary code within Twig templates. The weakness is a failure to enforce proper access control (CWE‑284) and a protection failure (CWE‑693).

Affected Systems

October CMS versions prior to 3.7.13 and 4.0.0 through 4.1.4. The issue only impacts installations where the CMS_SAFE_MODE feature is enabled, which is disabled by default.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. Exploitation requires authenticated backend access with template editing permissions and the CMS_SAFE_MODE setting enabled. EPSS data is not available, and the vulnerability is not in the CISA KEV catalog. Attackers must first gain legitimate user credentials; there is no known unauthenticated vector, so the risk is moderate to high for organizations with admins who have template editing rights.

Generated by OpenCVE AI on April 14, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to October CMS 3.7.13 or later, or 4.1.5 or later
  • If an upgrade is not immediately possible, disable CMS_SAFE_MODE to eliminate the sandbox bypass vulnerability
  • Restrict CMS template editing permissions to fully trusted administrators only
  • Verify that no other installations with CMS_SAFE_MODE remain active

Generated by OpenCVE AI on April 14, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5qg-jc75-4jp6 October Rain has a Twig Sandbox Bypass via Collection Methods
History

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only.
Title October CMS: Twig Sandbox Bypass via Collection Methods
Weaknesses CWE-284
CWE-693
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T19:42:40.460Z

Reserved: 2026-01-08T19:23:09.855Z

Link: CVE-2026-22692

cve-icon Vulnrichment

Updated: 2026-04-14T19:42:33.502Z

cve-icon NVD

Status : Received

Published: 2026-04-14T17:16:28.423

Modified: 2026-04-14T17:16:28.423

Link: CVE-2026-22692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:15:06Z

Weaknesses